Governance, Risk and Compliance Controls to Counter Financial Crime - Estate Agency, Legal and Accountancy Services

Governance, Risk and Compliance Controls to Counter Financial Crime – Estate Agency, Legal and Accountancy Services Thematic Review - 2024 Published: 04 April 2024

Page 2 of 31 Executive Summary During Q4 2023, the Commission undertook a thematic review to assess the effectiveness of the governance, risk and compliance controls within Estate Agents, Accountants and Lawyers registered with the Commission as prescribed businesses. These sub-sectors are generally considered within the Bailiwick’s National Risk Assessment (“NRA”) to be at the lower end of the risk spectrum. An analysis of data provided by all 107 prescribed businesses registered as of September 2023 when the thematic commenced, resulted in 18 firms being identified for an onsite assessment by the Commission. A number of factors drove the selection of these firms including the information provided within the annual Financial Crime Risk Return and Prescribed Business Return. Along with meetings with the Board and the Money Laundering Compliance Officer, the Commission reviewed a total of 105 customer files, chosen on pre-selected higher risk indicators, relating to business relationships or occasional transactions these firms had, of which just under half had been assessed by the firm as being high-risk. In over half of the files no material deficiencies were identified, however 52 customer files contained one or more deficiencies against the requirements of Schedule 3 and the Handbook. Whilst these figures appear high, approximately 70% of customer files reviewed had a documented risk assessment which considered all relevant risks. This thematic also gave the Commission the opportunity to assess improvements made following other recent thematic reviews, such as those conducted on Business Risk Assessments and Politically Exposed Persons. We were surprised to learn that some prescribed businesses had not read these reports, and even fewer had conducted any self-assurance checks or otherwise reviewed their business in the context of the good and poor practices that had been highlighted. Thematic reviews are a means by which the Commission shares guidance with industry and highlights improvements that firms may take to strengthen their control frameworks. It was therefore concerning to identify that some of the prescribed businesses we met still exhibited the poor practice which had been pointed out within earlier reports. That said, it was encouraging to note that all 18 firms wanted to maintain strong and effective policies, procedures, and controls to prevent, forestall and detect financial crime. Such positive attitudes are reflective of the importance these sectors attach to the Bailiwick’s reputation as a well-regulated and professional financial centre and a jurisdiction where money launderers or terrorist and proliferation financers are not welcome.

Page 3 of 31 In total five areas for improvement were identified, none of which were specific to any one sector. Remediation programmes have been set for some firms across all three sectors, with no one sector exhibiting any significant thematic weaknesses. Whilst this thematic review focussed on the governance, risk and compliance controls within prescribed businesses, the general principles contained in this report are relevant to all financial services and prescribed businesses. We hope that the case studies, good practice points and areas for improvement will assist firms in assessing their money laundering, terrorist financing and proliferation financing risks and developing commensurate policies, procedures, and controls for mitigating those risks. The Commission will consider how firms have incorporated the findings from this report, and previous thematic reviews, as part of its ongoing supervision. At the end of this thematic report there is a question set which will assist all prescribed businesses in their consideration of their financial crime governance and compliance controls. All firms registered with the Commission as a prescribed business are being asked to read this report and subsequently confirm to the Commission that any relevant changes have been made as a result of their considerations of the thematic review and question set. In light of the guidance included in this report and where appropriate, we are also asking these firms to review the Financial Crime Risk Return submitted for the reporting period ending 30 June 2023 to ensure that their submissions are accurate. Whilst writing, we would like to take the opportunity to remind all firms of the requirement to undertake sanction screening for all new business relationships and occasional transactions, including screening of the customer, beneficial owner, and other key principals. Such screening should be performed, as a minimum, at the time of take on, during periodic reviews and when there is a trigger event generating a relationship risk review. I would also draw to your attention two recent Handbook rules, namely 12.37 which requires the disclosure of certain information to the Commission following an identified sanction connection and 12.38 which requires the maintenance of a sanctions register. All firms should familiarise themselves with these new rules and implement any relevant changes to their policies, procedures, and controls as soon as practicable. Finally, I would like to take this opportunity to thank the firms involved in this thematic review through providing requested documentation in advance and participating in the onsite inspections. Rosemary Stevens Deputy Director 04 April 2024

Page 4 of 31 Summary of areas for improvement

Effective Policies, Procedures, & Controls (page 13) Issue: in some instances, firms lacked appropriate or effective policies, procedures, and controls in accordance with Paragraph 15(1)(b) of Schedule 3 and Handbook Rule 2.14. Action: ensure that the firm has adequate policies and procedures which cover all required aspects of Schedule 3 and the Handbook which have regard to the ML, TF and PF risks, and size, nature and complexity of the business. This includes conducting and maintaining ML, TF and PF Businesss Risk Assessments. Risk Assessments & Identification of the Customer (page 14) Issue: in some instances firms failed to identify who the customer was within a transaction or correctly identify which entity within the transaction is the customer. Risk assessments did not always consider all relevant risk factors to a relationship and were tick-box in nature. Action: ensure that the firm's policies and procedures are sufficient to enable staff to correctly identify who the customer is, and once identified, ensure that all relevant risk factors are considered, together with their mitigation, when determining the level of overall risk. Verification of SOF & SOW (page 21) Issue: in some instances firms did not go into sufficient depth to establish and understand the customer's source of funds and source of wealth with corroboration, at times, appearing minimal. Where customers are engaged with other FSB's or Prescribed Businesses, too much reliance was placed on the controls implemented by these businesses. Action: where higher risk factors are identified, firms must ensure that SOF/SOW information is corroborated and an assessment should be made as to the veracity of the corroborating information. Oversight of Outsourced Functions (page 27) Issue: in some instances firms did not maintain sufficient oversight of outsourced functions resulting in deficiencies within the compliance framework. Action: ensure that the Board/Partners have sufficient AML/CFT/CPF knowledge to maintain an effective system of oversight over outsourced compliance functions. Determination of Business Relationships or Occasional Transactions (page 23) Issue: in some instances firms did not demonstrate a considered determination of whether their enagement with the customer was a business relationship or occasional transaction resulting in misleading management information, inappropriately scheduled periodic reviews and inconsistent regulatory reporting in comparison with their peers. Action: ensure that the process for determining whether the engagement with the customer is a business relationship or occasional transaction is correctly informed and monitored and that regulatory reporting is consistent with guidance in this report and the Financial Crime Risk Return guidance document. The Commission's Financial Crime Risk Return guidance will be updated to provide additional help in this area.

Page 5 of 31 Glossary of Terms AML – Anti-Money Laundering Bailiwick – Bailiwick of Guernsey Board – Board of directors (or the senior management where the prescribed business is not a body corporate) CDD – Customer Due Diligence CFT – Countering the Financing of Terrorism Commission – Guernsey Financial Services Commission CPF – Countering the Financing of Proliferation of Weapons of Mass Destruction DNFBPs – Designated Non-Financial Businesses and Professions ECDD – Enhanced Customer Due Diligence FATF – Financial Action Task Force Firm – A financial services or prescribed business subject to the requirements of Schedule 3 and the Handbook FSB – Financial Services Business Handbook – The Handbook on Countering Financial Crime and Terrorist Financing issued on 10 July 2023 (to be read synonymous with the Handbook on Countering Financial Crime (AML/CFT/CPF)) ML – Money Laundering MLCO – Money Laundering Compliance Officer NRA – Bailiwick 2019 National Risk Assessment Report on Money Laundering and Terrorist Financing1 NRA2 – Bailiwick 2023 National Risk Assessment Report on Money Laundering, Terrorist Financing and Proliferation Financing PEP – Politically Exposed Person PF – Proliferation Financing Proceeds of Crime Law - The Criminal Justice (Proceeds of Crime) (Bailiwick of Guernsey) Law, 1999 SAR – Suspicious Activity Report Schedule 2 – Schedule 2 to the Criminal Justice (Proceeds of Crime) (Bailiwick of Guernsey) Law, 1999 Schedule 3 – Schedule 3 to the Criminal Justice (Proceeds of Crime) (Bailiwick of Guernsey) Law, 1999 SOF/SOW – Source of Funds/Source of Wealth TCSP – Trust and Corporate Service Provider TF – Terrorist Financing In 2024 the Commission updated its Handbook as referenced above. The thematic review was conducted prior to this release, with this report being written based on the requirements relevant at the time, as well as on an ongoing basis. Where Handbook references provided have changed, clarification is provided in a footnote. 1 Relevant National Risk Assessment at the time of the assessment but now superseded by NRA2.

Page 6 of 31 Contents Executive Summary .................................................................................................................................... 2 Summary of areas for improvement ........................................................................................................... 4 Glossary of Terms....................................................................................................................................... 5 Section 1: Background............................................................................................................................. 7 1.1 Overview of Prescribed Business Activities and Registration Requirements............................................7 1.2 Rationale for the Thematic .........................................................................................................................8 1.3 Scope of the Thematic Review...................................................................................................................9 Section 2: Prescribed Business within the Bailiwick............................................................................. 10 2.1 Sector Breakdown ....................................................................................................................................10 Section 3: Thematic Findings ................................................................................................................ 13 3.1 Policies and Procedures............................................................................................................................13 3.2 Risk Assessments .....................................................................................................................................14 3.3 Identification of the Customer..................................................................................................................17 3.4 Source of Funds & Source of Wealth.......................................................................................................21 3.5 Business Relationships and Occasional Transactions ..............................................................................23 3.6 Placing Reliance on Other Financial Services Businesses and Prescribed Businesses............................26 Section 4: Conclusion ............................................................................................................................ 28 Appendix: Activities Subject to Schedule 2 of the Proceeds of Crime Law ......................................... 31

Page 7 of 31 Section 1: Background 1.1 Overview of Prescribed Business Activities and Registration Requirements Recommendation 1 of the FATF International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation2 identifies that countries should require designated non-financial businesses and professions3 (“DNFBPs”) to identify, assess and take effective action to mitigate their money laundering, terrorist financing and proliferation financing risks. Schedules 2 and 5 to The Criminal Justice (Proceeds of Crime) (Bailiwick of Guernsey) Law, 1999 identify three sectors, namely Estate Agency, Lawyers, and Accountancy Businesses undertaking specific activities as being Prescribed Businesses as part of the Bailiwick’s implementation of FATF Recommendation 1. Schedule 2 sets out these specific activities as detailed within the appendix to this report. Schedule 5 to the Proceeds of Crime Law sets out the requirements for Prescribed Businesses to register with the Commission, with Schedule 3 embodying the requirements on those businesses to counter financial crime, with the Commission as the supervisory authority responsible for monitoring and enforcing compliance for the purposes of AML/CFT/CPF supervision. It is important to understand that not all activities which may be conducted by a lawyer, accountant or estate agent are within the scope of prescribed business activities. Any activity they undertake which falls outside of those mentioned in Schedule 2 is not prescribed business activity and is accordingly not subject to the Bailiwick’s financial crime framework4 . However, where firms are undertaking activities which are not captured by the Bailiwick’s AML/CFT/CPF framework, firms must remain cognisant of the other laws and requirements to which they may still be subject, for example Section 40 of the Proceeds of Crime Law which relates to the acquisition, possession, or use of criminal property. Examples of activity which would fall outside of a firm’s prescribed business registration may include, but is not limited to, the following:

• An estate agency acting as the letting agent or property manager for a rental property,
• An accountancy business providing regulatory assurance and advisory services to third parties,
• An accountant who provides bookkeeping and accountancy services to their employer (such as an in-house accountant),
• A lawyer acting in the course of the prosecution or defence of criminal cases,
• A lawyer providing legal services in civil litigation. 2 “The FATF Recommendations – International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation, November 2023” - FATF Recommendations 2012.pdf.coredownload.inline.pdf (fatf-gafi.org) 3 Namely: casinos; real estate agents; dealers in precious metals and dealers in precious stones; lawyers, notaries, other independent legal professionals, and accountants; and trust and company service providers. 4 Unless that activity would comprise an activity requiring licensing under other supervisory laws.

Page 8 of 31 1.2 Rationale for the Thematic The 2020 NRA assessed the money laundering and terrorist financing risks of the legal sector as being Medium and Lower, the accountancy sector as being Medium Lower and Lower, and the real estate sector as being Lower and Much Lower respectively. The 2023 NRA2 has not altered the risk rating of these sectors, which represent the mid to lower risk aspects of the Bailiwick’s exposure to money laundering and terrorist financing. In addition, NRA2 has considered the proliferation financing risks as Lower for legal and accountancy services and Very Much Lower for real estate. As this thematic review was commenced prior to the publication of NRA2, both NRAs have been taken into consideration in the course of the Commission’s assessments. The Commission’s risk-based approach to its financial crime supervision focuses its proactive supervision towards those sectors which are perceived to present the higher financial crime risks to the Bailiwick. Many prescribed businesses are small in scale, offer relatively simple products, and provide services principally to local Bailiwick residents. However, whilst the NRA recognises that lawyers, accountants, and estate agents are at the lower end of the risk spectrum, this does not mean that these sectors have no risk exposure or that there are no higher or lower risk firms within each sector. Internationally it is recognised that the legal sector in most countries is considered attractive to criminals because of the credibility and respectability it can convey, which may help to create distance between funds and their illicit source and to integrate those funds into the legitimate economy. From a Guernsey perspective, the exposure of the legal sector to criminality arises from its role in introducing foreign business to the domestic financial services sector, which means that it is exposed to criminality in the same way as those sectors. Accountants are also seen internationally as attractive to criminals due to the credibility and respectability they can convey, which may help to create distance between funds and their illicit source and to integrate those funds into the legitimate economy. The sector's exposure to criminality primarily comes from foreign criminals requesting tax NRA2 Risk Rating Money Laundering Risks Terrorist Financing Risks Proliferation Financing Risks Medium Legal Medium Lower Accountancy Lower Real estate Legal, Accountancy Legal, Accountancy Much Lower Real Estate Very Much Lower Real Estate

Page 9 of 31 advice in relation to their ownership, or involvement in legal persons and legal arrangements and regulated investment schemes. However, this exposure is reduced by the fact that the sector's clients are frequently financial services businesses or entities administered by other reporting entities, and also by Guernsey's adoption of international standards in respect of tax transparency. A further exposure may arise from accounts that have been falsified to disguise criminality and are unwittingly approved by accountants, particularly when auditing and signing off accounts for collective investment schemes with intricate structures and complex trading strategies. However, this exposure is reduced by the fact that accountancy firms are subject to audit regulations and in addition, the accounts of collective investment schemes are usually prepared by the licensed fund administrator. Although real estate agents accept deposits and the acquisition of real estate is recognised internationally as a method of money laundering, the opportunity for this in Guernsey is restricted because the small physical size of each of the islands within the jurisdiction means that the availability of real estate is limited and the controls on the occupation of property by persons outside the jurisdiction limit the attractiveness of the sector for laundering foreign proceeds of crime. The attractiveness of using real property in the jurisdiction for money laundering purposes is further limited by the fact that all property transfers must be approved by the court, by an official, or by a legal practitioner as the case may be. The Commission has a risk-based onsite inspection programme for all sectors, including prescribed businesses. Whilst estate agents, law firms and accountants have been included in our pervious thematic reviews assessing specific AMLCFT requirements, this is our first thematic review focussing exclusively on prescribed businesses to assess their governance, risk, and compliance controls with respect to Schedule 3 and the Handbook. 1.3 Scope of the Thematic Review The Commission undertook an analysis of the 30 June 2023 data submitted by all 1075 prescribed businesses registered with the Commission within their Financial Crime Risk and Prescribed Business returns. The analysis considered the data as a whole, and the legal, accountancy, and estate agency sectors separately to identify areas of consistency or any areas where one or more firms may be an outlier, to identify a representative sample of firms from each of the three sectors. 18 firms were selected for an onsite visit to assess the effectiveness their financial crime governance, risk, and compliance controls. The assessment included a review of the firm’s ML and TF business risk assessments, customer onboarding procedures, MLCO reporting to the Board/Partners, and minutes of Board/Partner meetings. Each firm was requested to identify six business relationship/occasional transactions which conformed to certain pre-selected criteria designed to capture the higher risk aspects of the firm’s activities and customer base (rather 5 As at commencement of data analysis in September 2023

Page 10 of 31 than the Bailiwick customers utilising lower risk products and services) and provide the Commission with the customer file for that business relationship/occasional transaction for examination whilst onsite. The selection criteria included identifying the most recently onboarded foreign and domestic PEP customers, most recently onboarded high risk, non-PEP customer, the most recently onboarded customer from a high-risk jurisdiction, the most recently onboarded legal person and legal arrangement customer, the customer with the highest value client money account and the longest held client money account, and the customer with the most recently filed internal SAR. Some assessed firms did not accept high risk customers in accordance with their risk appetite, and in such cases the Commission requested that firms provide multiple files matching the same criteria, for example, several of the most recently onboarded legal persons/arrangements. In total, the Commission reviewed 105 customer relationships/transactions during its onsite visits. Whilst onsite, a meeting was also held with the Board/senior management of the firm and the MLCO to explore their understanding of the AML/CFT risks to the business and the controls that the firm had implemented to mitigate these risks. Section 2: Prescribed Business within the Bailiwick 2.1 Sector Breakdown On commencing this review, 107 firms were registered with the Commission as prescribed businesses, with the split between estate agents, accountants and lawyers as follows: 66 22 19 0 10 20 30 40 50 60 70 Accountant Estate Agent Lawyer Number of Prescribed Businesses Registered with the Commission (Sept 2023)

Page 11 of 31 Prescribed businesses vary in size from sole traders to prescribed businesses which are part of large multi-national groups. Approximately 55% of prescribed businesses had fewer than five employees and 12% had more than 50 employees as of 30 June 2023. This range is reflected in the services which are offered, varying from simple offerings to Bailiwick residents to more complex services to non-Bailiwick resident customers, with the AML/CFT/CPF profile of each prescribed business dependant on its products, services, and target market. The following charts show a breakdown of the activities performed by prescribed business sub-sectors for the year ending 30 June 2023: In the year ending 30 June 2023, over half a billion pounds worth of real estate transactions were conducted within the Bailiwick, with over two thirds of this value representing local market transactions. These transactions reflect a significant amount of money changing hands, and whilst estate agency activity features at the lower end of the risk spectrum, firms must remain vigilant to the risk of persons using the property market to launder criminal funds. The charts below indicate the breakdown of business relationships and occasional transactions by volume, and not by value: Approximately 75% of accountancy business within the Bailiwick stems from services provided to legal persons/arrangements, with over half of those being with Guernsey resident legal persons/arrangements. The remaining 25% of business is to natural persons, with a significant proportion of these being Guernsey resident natural persons. A greater focus is therefore seen within accountancy businesses in servicing Bailiwick customers, rather than customers from overseas.

Page 12 of 31 Approximately 50% of Bailiwick law firms derive less than half of their annual turnover from their prescribed business activity. Of the natural person customers serviced by law firms, almost 90% are resident within the Bailiwick. This contrasts with the roughly 50/50 split for legal persons/arrangements serviced between Bailiwick residents and those resident overseas.

Page 13 of 31 Section 3: Thematic Findings 3.1 Policies and Procedures An effective AML/CFT/CPF framework starts with the Board/Partners identifying, assessing, and understanding the risks within the business and documenting these within the firm’s money laundering, terrorist financing, and proliferation financing business risk assessments. Critically, these BRAs should be informed by the risks and methodologies highlighted within the Bailiwick’s NRA which are relevant to the nature of the firm’s activities. The BRAs will then drive the formulation of the firm’s policies, procedures, and controls to manage and mitigate the firm’s identified risks. Policies and procedures will only be effective if they are based upon sound risk assessments, are accessible, understandable, comprehensive, and provide an explanation of how they should be applied in practice on an operational basis. Procedures which are too complicated for staff to follow or secured in areas of the firm’s systems, inaccessible to front line staff, will prove ineffective. Firms should ensure that the policies, procedures, and controls are comprehensive and capture all relevant aspects of complying with Schedule 3 and the Handbook’s rules and that when applicable legislation and regulatory requirements are amended, they are promptly reviewed in light of any changes. For example, firms should now be considering whether their existing policies and procedures satisfactorily address the requirements covering proliferation financing implemented within Paragraph 16A of Schedule 3 and the Handbook on Countering Financial Crime (AML/CFT/CPF). Area for Improvement: Multi-jurisdictional policies, procedures, and controls The sample of firms visited within this thematic included standalone businesses as well as those who were part of a group which had other entities operating in overseas jurisdictions. For some of these firms, policies and procedures were standardised to a group format to be adopted and followed groupwide. In such cases, the prescribed business must take care to ensure that policies and procedures meet the Bailiwick’s AML/CFT/CPF legislative and regulatory requirements. Where any group policies and/or procedures do not meet Bailiwick requirements, the prescribed business must implement supplemental (or replacement) policies and procedures to ensure its own obligations are met. Good practice was observed where firms had reviewed group policies and procedures to ensure that they aligned with the Bailiwick’s regulatory requirements. Conversely, in an example of poor practice, one firm, which is a subsidiary of a group, had adopted the group policies which did not reflect the legislative and regulatory framework

Page 14 of 31 in Guernsey. This firm’s procedures were tailored entirely to its parent’s jurisdiction with references within those procedures to that jurisdiction’s legislation and regulatory regime, with no apparent consideration to the Bailiwick’s requirements. As the two regimes did not entirely align, this resulted in omissions within the firm’s controls and it not meeting its Bailiwick obligations. 3.2 Risk Assessments Where prescribed businesses are conducting activities specified in Schedule 2 and therefore subject to the Bailiwick’s AML/CFT/CPF framework, they are required to undertake a relationship risk assessment prior to the commencement of a business relationship or undertaking of an occasional transaction. This risk assessment should capture all relevant risks associated with the relationship/transaction including those posed by the products and services offered, the delivery channels, risk factors associated with the customer, as well as other factors such as jurisdictional risk. The Commission has identified weaknesses in aspects of the methodology relating to the relationship risk assessments undertaken by a number of the firms visited in its thematic review. Most of these risk assessments would have been sufficient to document and assess the risks present in a standard or low risk transaction/relationship, which forms 91.4% of all prescribed business activities. However, the risk assessments for high-risk customers were not always comprehensive in the consideration of all relevant risks. Firms should make sure that their policies and procedures to identify and mitigate higher risk factors are sufficiently robust and consistently followed. Both good and poor practices were observed within the risk assessments which have been summarised by the table below: Good Practice Poor Practice ✓Risk assessments consider all relevant risks within the relationship/transaction including those risks posed by the customer’s SOF/SOW, adverse media and sanction screening results, jurisdictional risks, delivery channel risks, the value of the transaction/assets involved, ownership structure and beneficial ownership, and any other relevant risk factors.  Risk assessments consider only a few risk aspects and do not allow for consideration of all relevant risk factors that may be present within a relationship/transaction. ✓Response to the questions posed in a risk assessment form are not solely restricted to pre￾set answers to choose from, but allow for a detailed consideration to be recorded in free￾text fields without the need for appendices or  Responses to the questions posed in a risk assessment form can only be answered with pre-set responses and the ability for any risk consideration to be documented on the assessment is limited. Answers are limited to only drop-down, tick box, or Yes/No answers.

Page 15 of 31 It is important that risk assessments consider all relevant elements of risk within a transaction or relationship holistically. This means that risk assessments must be kept up to date, periodically reviewed (for ongoing relationships), and reviewed following the identification or introduction of any additional relevant risk factors. For an occasional transaction, typically only a single risk assessment will be conducted prior to the undertaking of the transaction. For a business relationship, however, these risk assessments must be subject to a periodic review at a frequency determined by the firm on a risk basis. Below we specifically cover the approach which estate agents should be taking on risk assessing real-estate transactions: An estate agent commences an occasional transaction on starting to act for a vendor with a view to effect the sale of a property. The estate agent must conduct a risk assessment on the transaction which will at this point consider only those risk factors relevant to the vendor (unless the purchaser was also known to the estate agent at that time). Once the vendor has agreed to the sale, additional customer risks have been introduced by the purchaser which should now be assessed and considered within a risk assessment. It may also be necessary to update the assessment again, for example if the property sale was to fall through and a new offer from a different purchaser accepted. Estate agents assessed in this thematic handled this matter in two distinct ways as part of their risk-based approach, typically either conducting a single relationship risk assessment on the whole matter which factored in the risks of both vendor and purchaser in a phased approach as the extensive cross referencing to other documentation. ✓Risk assessments provide a detailed consideration of relevant risk factors, identify relevant mitigation for these risks and detail the decision making made during the assessment.  Risk assessments list identified risk factors with no assessment of the risks presented or the mitigation that can be applied. ✓ Where a background scoring methodology has been incorporated into the risk assessment, the methodology is well thought through and regularly reviewed to ensure an appropriate risk rating, and which reflects the risks present within the transaction/relationship.  Background scoring methodology results in risk ratings being applied to relationships/transactions which are not true reflections of the risk of the relationship/transaction. ✓Risk assessments are dynamic and are reviewed whenever key risks within the relationship/transaction change or at a frequency proportionate to the risk rating. This also includes assessments for occasional transactions such as property sales, where the transaction may remain a live matter for a length of time during which risk factors may change.  Risk assessments are static and conducted at the time of onboarding and then never re￾considered. When new risk factors are identified within the course of the relationship/transaction these risk factors are not factored into the risk assessment.

Page 16 of 31 relevant parties became known, or conducting separate risk assessments on the two parties at the appropriate onboarding times. Whatever method is employed, it is important that both vendor and purchaser customer risk factors, and a holistic consideration of the risks within the transaction, are documented to demonstrate how the firm has determined the overall level of risk within the transaction. In considering risks holistically, for example, where the vendor poses a low risk and the purchaser a high risk, the transaction should be rated as high (except in extraordinary circumstances and where sufficient mitigating factors exist and are documented) with the firm taking reasonable ECDD6 measures on the purchaser as this is where the higher risk factors are. Whilst applying an overall high-risk rating also imposes ECDD measures on the lower risk vendor, reasonable measures for establishing and understanding the vendor’s SOF/SOW should be taken using a risk￾based approach, and this consideration recorded, with the extent of the SOF/SOW corroboration likely to be much lower. Similar consideration would also be relevant to an occasional transaction in situations where the risk factors in relation to the services being provided change. For example, where the customer decides to migrate a company to a different jurisdiction to that originally intended. Firms should therefore be cognisant that the risks within an occasional transaction can change between the time of onboarding and the time of completion, and whilst occasional transactions may not be subject to periodic review in the same manner as business relationships, where changing risk factors are identified the risk assessment should be reviewed in light of that. Case Study: Lack of adequate policies and procedures governing Enhanced Measures The Commission identified that seven firms had difficulty in meeting the requirements of Paragraph 5(2) of Schedule 3 (Enhanced Measures). Their deficiencies stemmed from a lack of documented policies and procedures governing the application of enhanced measures to certain categories of customer (i.e., non-Bailiwick resident, customers which are personal asset holding vehicles or customers with nominee shareholders). These weaknesses included procedures which did not explain how to mitigate higher risk factor/s that each category of customer may present; or staff instructed to use other policies and procedures, such as those governing ECDD, which may have 6 Paragraph 5 of Schedule 3 sets out the circumstances where ECDD must be carried out, without limitation and includes where the customer or any beneficial owner is a foreign politically exposed person. Please refer to Paragraph 5 for further situations where ECDD is required.

Page 17 of 31 incidentally satisfied enhanced measures. In the latter situation, enhanced measures appeared to be applied accidentally, rather than intentionally selected as the most appropriate enhanced measure to mitigate the higher risk. In addition, instances were observed where the procedures for enhanced measures were included only within the firm’s ECDD procedures for high-risk customers, and failing to reflect that enhanced measures are required for standard and low risk customers where the following criteria are met7 : (a) the customer is not resident in the Bailiwick, (b) the customer is provided with private banking services, (c) the customer is a legal person or legal arrangement used for personal asset holding purposes; or, (d) the customer is a legal person owned with nominee shareholders or owned by a legal person with nominee shareholders. For example, one customer risk assessment correctly considered that the customer was a natural person resident in another jurisdiction, a criterion requiring the application of enhanced measures for being a non-Bailiwick resident. However, despite this risk factor being identified, no enhanced measures were applied to the transaction because it had not been rated high risk. 3.3 Identification of the Customer A key aspect in an effective AML/CFT/CPF compliance framework is the ability to correctly identify the customer in a business relationship or occasional transaction. Without knowing who the customer is within any given engagement, firms will fail to understand, assess, and mitigate the risks of the relationship/transaction, and fail to apply adequate CDD measures, ongoing monitoring, or effectively implement other controls. This thematic review highlighted that three firms had not correctly identified who their customer was within one or more relationships/transactions. Their approach had been that the person or entity that had established contact with the firm is their customer. This interpretation was at odds with the Commission’s expectations and the FATF Recommendations. The term ‘customer’ is defined within Paragraph 21(1) of Schedule 3 as being a person or legal arrangement who – (a) is seeking to establish, or has established, a business relationship with a specified business, or (b) is seeking to carry out, or has carried out, an occasional transaction with a specified business. Except that where such a person or legal arrangement is an introducer, the customer is the person or legal arrangement on whose behalf the introducer is seeking to establish or has established the business relationship. 7 the application of enhanced measures is included under Paragraph 5(2) of Schedule 3

Page 18 of 31 The determination of the customer is particularly important when applying ECDD measures to a relationship/transaction, for example in the application of Paragraph 5(3)(a) of Schedule 3 governing the identification and verification of a customer’s source of funds and source of wealth for the customer, and beneficial owner, where the beneficial owner is a PEP. Where firms fail to identify the correct customer, mandatory ECDD measures may therefore be overlooked. The following examples and case studies are intended to provide guidance in determining the customer within a business relationship or occasional transaction: Case Study: Estate Agents – Vendor & Purchaser In a real estate transaction, the estate agents should treat both the vendor and the purchaser as the customer. The vendor and purchaser each seek to carry out an occasional transaction with the estate agent: the vendor engages the estate agent looking to sell their property; and the purchaser engages the estate agent to assist finding a property to purchase. Both parties therefore satisfy point (b) of the definition of a customer within Paragraph 21(1) of Schedule 3. The Bailiwick’s approach to identification of the customer within a real estate transaction is aligned with that of FATF, who specifically opine that8 :

1. Real estate agents should comply with the requirements of Recommendation 10 with respect to both the purchasers and vendors of the property However, instances were observed where the estate agent failed to treat the purchaser as a customer, instead focussing its risk considerations and CDD/ECDD solely on the vendor. Such a practice runs counter-intuitive to one of the main risks in real estate transactions that proceeds of crime may be used to purchase properties to launder these illicit proceeds and then, as a vendor, sell the property thereby converting these laundered proceeds back into usable currency to further integrate into the financial system. In one instance, the estate agent had identified and verified the identity of the vendor (a Guernsey company) in a commercial property sale. The firm had correctly undertaken CDD measures on this company and taken appropriate identification and verification measures on its beneficial owners. However, no measures were taken to identify and verify the identity of the company to whom the property was being sold, or the beneficial owners of that company, as the estate agent did not consider the purchasing company to be its customer. Furthermore, no risk assessment 8 Interpretive Note to Recommendation 22, https://www.fatf-gafi.org/content/dam/fatf￾gafi/recommendations/FATF%20Recommendations%202012.pdf.coredownload.inline.pdf

Page 19 of 31 had been conducted which considered the risks posed by the purchaser. In this situation, the estate agent had exposed itself to the risk of having facilitated a money laundering offence, as they had not taken any steps to consider the purchaser. Area for Improvement: Determination of the customer and application of ECDD where services are requested by a Financial Services Business or Prescribed Business acting on behalf of its own customers Owing to the nature of the services provided by many prescribed businesses, a significant source of business will originate from FSBs and other prescribed businesses, both within Guernsey and overseas, who will contact the prescribed business to request services on behalf of their own customers. In such cases, firms should consider whether the services which they are providing are being provided to the FSB/prescribed business who has approached the firm or whether they are actually being provided for the benefit of another person/entity. The thematic review has highlighted that a small number of prescribed businesses are treating the FSB or prescribed business which approached them as their customer, rather than the underlying entity for whom the services are being sought. Whilst in almost all cases, the underlying entity/person for who the services were being provided were correctly identified and verified in accordance with the requirements of Schedule 3 for CDD purposes, the incorrect identification of the customer causes an issue when firms seek to apply ECDD measures to higher risk relationships. The following hypothetical case study illustrates this: Case Study: A Bailiwick Trust and Corporate Service Provider engages with a law firm to provide services for an administered company to purchase another company A TCSP administers a company whose board has decided to purchase another company as part of its asset diversification plans. The TCSP contacts a Bailiwick law firm to draft documentation for the acquisition of the target company. The law firm considers this instruction as an occasional transaction owing to the one-off nature of its services and undertakes appropriate identification and verification measures on both the TCSP and the company. Through its onboarding process, the law firm correctly identifies its customer as the company and that it is a holding company for an overseas entity involved in the extraction of natural gas in high-risk jurisdictions. The law firm assesses the ML/TF risk of the transaction as high and undertakes ECDD measures9 to manage and mitigate that high risk as well as to determine whether the transaction remains within its risk appetite. SOF and SOW enquiries 9 in accordance with Paragraph 5(1) and 5(3)(a)(iii) of Schedule 3

Page 20 of 31 identify that the company had previously acquired wealth through a significant investment from a sovereign wealth fund. The law firm then takes reasonable measures to mitigate the risks posed by the company’s wealth, through obtaining further assurances and documentation evidencing the investment from both the TCSP and the company itself. The law firm is able to gain sufficient comfort as to the legitimacy of investments in the company and goes ahead with the transaction. The customer in this case study is not the TCSP (who had approached the law firm on behalf of its own customers). Had the TCSP been incorrectly treated as the law firm’s customer, the ML/TF risk to the law firm due to the extraction of natural gas within high-risk jurisdictions and funding through a sovereign wealth fund would not have been assessed, leaving the law firm exposed to these ML/TF risks. Where an accountancy firm is approached by an FSB or another prescribed business to undertake auditing or tax compliance services, when determining the customer, the firm should consider for whom the services are being provided. Is the audit to be carried out on the FSB itself? Or is the audit on one of the entities being administered by the FSB, and if so that administered company should be considered the customer. Is the tax reporting for the FSB itself, or for a customer of the FSB? The identity of the firm’s customer therefore depends on the answers to these considerations. Who the customer is within a business relationship or occasional transaction for a law firm will also depend on the nature of the services being provided. As per the case study above, irrespective of how the relationship was initiated, the underlying entity/person to whom the services are for should in most cases be considered as the customer. Where a Bailiwick TCSP seeks legal services as trustee of a trust, then although the TCSP will be the law firm’s customer, the law firm should also consider the risk implications of the SOF/SOW within the trust structure, as the TCSP is the customer as trustee of that trust, irrespective of the trustee being licensed by the Commission. By comparison if a FSB seeks to open a bank account for one of their administered or managed company, that the FSB itself is not the beneficial owner of that bank account10; this would be the beneficial owner of the administered/managed company and the bank would identify the company as its customer. In the same sense, prescribed business services are typically provided to the underlying customer and not to the FSB who has initiated the services to be provided. 10 Except in circumstances, for example, where an account is opened for a trust by the FSB, who also acts as trustee to the trust.

Page 21 of 31 3.4 Source of Funds & Source of Wealth Most business relationships and occasional transactions undertaken by prescribed businesses are at the lower end of the risk spectrum and provided to either Guernsey or UK persons with clear beneficial ownership and few higher risk factors. However, over 2,000 high risk business relationships/occasional transactions, representing 8.4% of total business relationships/occasional transactions, were reported by prescribed businesses within the 2023 Financial Crime Risk Return. Where the risk is assessed as high, Paragraph 5(3)(a)(iii) of Schedule 3 requires firms to take reasonable measures to establish and understand the SOF and SOW of the customer and beneficial owner if the beneficial owner is a PEP. Guidance in Section 8.3 of the Handbook explains reasonable measures which could be taken to establish and understand SOF and SOW as well as how to corroborate this information. To meet the requirements of Schedule 3 and the Handbook, firms should firstly identify the SOF/SOW of the customer11, and then verify or corroborate this information. The Commission’s file reviews showed that, in most cases, firms had sufficiently identified the SOF and SOW of the customer and built a picture of where this wealth originated. However, the extent of the verification to corroborate the identified SOF/SOW information was insufficiently considered by eight firms visited. Area for Improvement: Risk-Based Corroboration of Source of Funds and Source of Wealth Where SOF or SOW information has been obtained either directly or indirectly from the customer, the extent to which that information is corroborated will depend on the risks within that business relationship or occasional transaction. Section 8.3 of the Handbook provides guidance on how firms may corroborate SOF/SOW and the method selected should be suitable to mitigate the risks presented by the business relationship/occasional transaction. A poor example seen in a customer file was where the firm sought to corroborate the SOF/SOW information obtained using only open-source media searches where the open-source media crucially did not link that person to the activity which was said to have generated their wealth. Insufficient corroboration was highlighted as an Area for Improvement within the Commission’s 2019 thematic review of Source of Funds/Source of Wealth in the Private Wealth Management Sector. Where a customer’s risk profile presents significant, or multiple, higher risks, firms should undertake more robust SOF/SOW enquiries to be satisfied that SOF/SOW is understood and that the risks presented by the customer’s SOF and SOW are adequately mitigated and do not represent the proceeds of crime. Suitable documentary evidence from a reliable source (assessed by the firm and documented as such) may include payslips, investment reports, 11 and beneficial owner, where the beneficial owner is a PEP

Page 22 of 31 deeds of sales, company audited accounts etc. Firms should take a risk-based approach using a combination of methods, such as obtaining information from a reliable third party which the firm then corroborates through open￾source media or, where appropriate, consider commissioning an independent expert report to mitigate the identified risks. SOF and SOW enquiries should not cease at the point at which firms receives third party information which may corroborate it. Not all information has equal value, and firms should be careful not to accept the information received to corroborate SOF/SOW at face value. A key step in the understanding of the SOF/SOW of a customer which was absent in several of the firms assessed within this thematic was an assessment of the veracity and relevance of the corroborating information obtained. The following questions may help to assess if the corroborating information which has been obtained is sufficient: Good practice was seen on customer files where the firm had recorded its detailed considerations around the SOF/SOW corroboration obtained within the risk assessment and file notes, or had documented this consideration in referrals to its risk committee, if it was of size and risk profile to have one. This was also found in files where the high-risk customer had been introduced by an FSB and the firm had obtained copies of the information held by the FSB to corroborate the SOF/SOW and assessed its veracity. Some firms may have conducted such an examination but made no record of this within the customer file, failing to demonstrate their considerations around high-risk customer SOF/SOW information.

Page 23 of 31 3.5 Business Relationships and Occasional Transactions The term ‘business relationship’ is defined within Paragraph 21(1) of Schedule 3 as meaning ‘a business, professional or commercial relationship between a specified business and a customer which is expected by the specified business, at the time when contact is established, to have an element of duration’. An ‘occasional transaction’ is likewise defined here as meaning ‘any transaction involving more than £10,000…12 carried out by the specified business in question in the course of that business, where no business relationship has been proposed or established and includes such transactions carried out in a single operation or two or more operations that appear to be linked’. A key element in determining whether a given activity would be considered a business relationship or occasional transaction is the intention. If the intention is that the firm will be providing a one-off activity to a customer at a given time, or are providing a series of services for a single activity, (for example, where a law firm provides services in the incorporation of a property holding company for a real estate asset being purchased by a customer, but also represents that customer in the acquisition of the real estate) these engagements would most likely be occasional transactions. Whereas if, at the time of onboarding, the intention is for the activity to be repeated regularly or require ongoing services with no immediate end date, such as advice on the completion of regular tax returns, appointment as auditor or being instructed as legal adviser to a property company buying and selling real estate, then this would likely be considered as a business relationship. From discussions with firms who we visited in the accountancy and legal sectors, it is clear that they had applied their own interpretation in deciding if an engagement is a business relationship or occasional transaction, usually settling on the former. However, as the following case study illustrates, this leads to a misapplication of their policies, procedures, and controls. The determination of whether a customer engagement is a business relationship, or an occasional transaction is also relevant for the data the Commission collects in the Financial Crime Risk Return, which is used for it application of risk-based AML/CFT/CPF supervision. Case Study: Blanket Determination of Business Relationships During the thematic review it was identified that one firm we visited had applied a one-size fits all approach to determining that all customer engagement constituted a business relationship and not an occasional transaction as they all contained at least some element of duration. 12 (or £1,000) in the case of a specified business described in paragraph 27(2) of Schedule 1 (“VASPs”))

Page 24 of 31 Although at onboarding there will be little or no difference to the steps a firm must take, when a business relationship is established, the risk assigned to this relationship will drive the level of ongoing monitoring and periodic review applied by the firm. The incorrect classification of occasional transactions as business relationships will lead to increased numbers of scheduled risk reviews which will not actually be required. For example, one prescribed business reported within the 2023 Financial Crime Risk Return that the firm maintained solely business relationships, but that only 3% of risk reviews scheduled for the reporting period had been completed. At face value a low completion rate suggests that the firm’s compliance arrangements are inadequate to manage the firm’s financial crime risks and that its compliance framework is failing when in reality the firm had incorrectly categorised activities that should have been considered occasional transactions as business relationships, thereby inflating the number of risk reviews it would appear to have to be undertake in future periods. This scenario was seen onsite with, in most of these cases, the given activity concluding long before any of the risk reviews falling due. Further, the firm’s management information is unlikely to be accurate and failing to correctly reflect its ongoing monitoring arrangements. In one example seen, compliance reporting to the Board gave the impression that a significantly large, but disproportionate, number of risk reviews would be due in the ensuing year because the customer engagement had been categorised as business relationship and not an occasional transaction. In this instance the services provided consisted of one-off tax advice and tax reporting which were not intended to be repeated in the future and so would not be considered a business relationship. Such an approach does not demonstrate an effective risk-based approach. Firms should decide whether a customer engagement constitutes a business relationship or occasional transaction on a case-by-case basis dependant on the information available to the firm at the time of onboarding rather than taking a blanket approach that does not consider the specific characteristics of the engagement. If at the start, an engagement is seen as an occasional transaction and the services provided subsequently change to those in a business relationship, the firm should re￾categorise the engagement as a business relationship. DID YOU KNOW? The Commission uses information provided within the Financial Crime Risk Return to assess the financial crime risks at both a firm level and across the financial services sectors. This in turn helps inform the NRA. It is vital that information included in these returns is accurate and submitted on a timely basis.

Page 25 of 31 It is unlikely that an estate agent will enter a business relationship when acting in a property sale. Whilst property sales have an element of duration owing to factors such as the state of the property market to the period for property conveyancing, this is viewed as a one-off activity and therefore an occasional transaction. A business relationship would exist however where an estate agent acts to market properties on behalf of a property developer. In this case, an element of duration would exist. With accountancy services, some activities may constitute business relationships whilst others will be occasional transactions. Generally, accountancy firms should consider whether the services provided are for a single event, or whether services will be provided on an ongoing basis. For example, when engaged to provide a single piece of tax advice this would constitute an occasional transaction, whereas an annual audit engagement with the same customer would be a business relationship. Given that the main activities relevant to the legal sector as prescribed business (as mentioned in the appendix) are activities which contribute to a specific purpose or outcome (for example the migration of a company or sale of a house), it is more likely that the prescribed business activities of law firms will be occasional transactions. But, much like accountancy services, law firms may have business relationships if they manage client money, securities, assets, or bank, savings, or securities accounts, for example as executor to an estate. The activity would likely be considered a business relationship, as the engagement is on longer term basis. Similarly, where a law firm receives a retainer to act on behalf of a customer in relation to prescribed business matters, this would likely be considered a business relationship. DID YOU KNOW? Only activities captured within Schedule 2 should be reported by firms within the Financial Crime Risk Return. For example, an estate agent should not report property rentals or property management relationships/transactions within the ‘Relationships’ tab of the Financial Crime Risk Return as these are not prescribed business activity.

Page 26 of 31 3.6 Placing Reliance on Other Financial Services Businesses and Prescribed Businesses There are several options available to prescribed businesses to place reliance on other Appendix C businesses to meet the requirements of Schedule 3 and the Handbook for the identification and verification of customers. Whichever provisions of the Handbook and Schedule 3 are utilised in the identification and verification of the customer, in instances where original identification data has not been obtained by the firm or original certified copies of documentation are not held, the firm should clearly record any provisions utilised, for example, by noting the fact that reliance is being placed on an introducer for CDD purposes within the relationship/transaction risk assessment. Prescribed businesses may utilise the provisions of Chapter 10 of the Handbook for establishing introduced business relationships or occasional transactions. An introduced business relationship or occasional transaction is a formal arrangement whereby an Appendix C business (or an overseas branch of, or member of the same group of bodies as, the firm) acting on behalf of one or more of its customers, establishes a business relationship or undertakes an occasional transaction with a firm on behalf of that customer. As an example, where a prescribed business provides services to a Guernsey company at the request of a Bailiwick TCSP, where the prescribed business has assessed that the TCSP qualifies as a reliable introducer and has established an introducer certificate in accordance with Chapter 10 of the Handbook, it may treat this business relationship or occasional transaction as introduced business. In addition to the identity information which must be provided within the introducer’s written confirmation or the certificate, the introducer should also provide the firm with written assurances that it has robust identification and verification policies and procedures in place and will provide copies of relevant identification data upon request. Where a firm considers a business relationship or occasional transaction to be introduced business, it is able to rely on the written confirmations of the introducer as to the identity of the customer without the need for this information to be verified. In such cases, the firm would not be verifying the identity of the introduced customer themselves, but would rely on the CDD controls of the introducer. It is important to note that in accordance with Paragraph 10(3) of Schedule 3, where a firm places reliance on an introducer, the responsibility for complying with the relevant provisions of Paragraph 4 of Schedule 3 remains with the firm. Additionally, Handbook section 10.4 sets out the testing requirements imposed on firms when accepting introduced business which is a key step in retaining sufficient oversight of the reliance placed on the introducer. That said, within this thematic review, limited use was seen of prescribed businesses placing whole reliance on an introducer certificate for CDD measures undertaken for introduced business. Instead, where firms had received instructions from an introducer (that they had assessed as being a reliable introducer and with whom they had

Page 27 of 31 established an introducer relationship), most firms had obtained copies of CDD information held by the introducer rather than relying on the introducer certificate itself. Area for Improvement: Outsourcing to a Third-Party The Commission acknowledges that the Board of Directors/Partners of a prescribed business are unlikely to be AML/CFT/CPF specialists with extensive knowledge and experience in combatting financial crime, but will be specialists in their given fields of property sales, accountancy, insolvency, tax, or law. That said, members of the Board/Partners must maintain sufficient AML/CFT/CPF knowledge to oversee the effective implementation of firm’s policies, procedures, and controls, which includes oversight of compliance services provided by an external party. We recognise that for smaller prescribed businesses an in-house specialist compliance function may not be feasible, but Boards must give careful consideration in any decision to outsource compliance. Handbook rules 2.11 & 2.14 place responsibility on the Board for the firm’s compliance with the Bailiwick’s AML/CFT/CPF regime. All boards should maintain sufficient knowledge to fulfil its, and each of its directors’, responsibilities for compliance with Schedule 3 and the rules in the Handbook to be able to maintain effective oversight of the firm’s policies, procedures, and controls, including any outsourced compliance functions. A view that the outsourced function should be allowed to run a firm’s AML/CFT/CPF framework and be trusted to get it right first time is not appropriate nor conducive to good governance. Good practice on outsourcing was observed within firms who demonstrated regular dialogue with the outsourced personnel. For oversight to be effective, the Board/Partners should regularly consider whether the services of the outsourced function are adequate and effective for the firm to meet its AML/CFT/CPF obligations, with meaningful input having been received from the outsourced function. This will enable the firm to assess if it wishes to continue to engage with the outsource provider or consider alternative options. The Commission found areas for improvement on the oversight of outsourcing to be particularly prevalent within the estate agency sector: The estate agents visited placed significant reliance on the outsourced AML/CFT function with little effective oversight to ensure that this function was providing sufficient and necessary services. In one case, the estate agent had relied on a risk assessment form provided by the outsourced provider, which failed to adequately assess risks of customers deriving SOF/SOW from higher risk industries or the risks present in PEP relationships.

Page 28 of 31 Case Study: Effective Oversight of an Outsourced AML/CFT Compliance Function One estate agency had identified that the outsourced MLCO had become too familiar with the firm and the engagement lacked the formal nature expected of an outsourced MLCO. The Board had maintained sufficient oversight to be able to identify that the compliance advice received lacked the structured approach which the business required to ensure the necessary level of challenge and robustness of the firm’s AML/CFT framework. The Board decided to replace the outsourced provider with an alternative provider to mitigate the risk that this overfamiliarity posed. DID YOU KNOW? Estate Agents, Accountants and Lawyers are unable to establish a business relationship with an ‘Intermediary’ who is acting for or on behalf of its customers13 . Prescribed businesses must always establish the identity of their customer is. Section 4: Conclusion It was encouraging to see that many of the prescribed businesses visited maintain appropriate and effective policies, procedures, and controls to identify, assess, mitigate, manage, and review and monitor the ML and TF risks which those firms are exposed to and on the whole the sector demonstrated a robust adherence to the Bailiwick’s AML/CFT framework14 . A good compliance culture appeared to be embedded within these businesses and all of the firms assessed displayed a strong desire to demonstrate their efforts to forestall, prevent and detect financial crime. Some firms would benefit from an increased focus on Bailiwick requirements where group policies and procedures apply , and all firms would benefit by ensuring that their policies and procedures map to all relevant areas of the Handbook. Both good and poor practice was seen with regard to the risk assessments being performed by firms, however, generally risk assessments demonstrated a reasoned thought process and consideration of relevant customer risk 13 Intermediary Relationship are explained in Handbook Section 9.8. Handbook Rule 9.53 sets out the qualifying products and services where intermediary provisions can be applied, and none of these apply to the activities performed by prescribed businesses. 14 As existed at the date of the Commission’s review.

Page 29 of 31 factors. The risk assessments of some firms were substantially tick-box in nature, limiting the opportunity for risk consideration to be documented and assessed, thereby reducing the value of the overall risk assessment process. The identification of who the customer is within a business relationship or occasional transaction has caused some confusion in each prescribed business sector, and it is hoped that the additional guidance within this thematic will be of assistance to industry in this regard. Identification and corroboration of SOF/SOW is viewed as being on par with financial services businesses which has a greater exposure to risk, such as investment firms and fiduciaries, which is encouraging. However, there is still some way to go to ensure that sufficient corroboration is collected, and the associated relevant risks adequately assessed. All prescribed businesses are advised to consider the Commission’s previous thematic review on Source of Funds/Source of Wealth in the Private Wealth Management Sector as many of the themes and good practices identified within this report are transferable. This thematic has revealed that different opinions are held by the legal and accountancy sectors on business relationships and occasional transactions and how to determine which of these a customer engagement belongs to but that on the whole significant thought has been given to this by the firms visited. It is hoped that comment within this report and revised guidance on the completion of the Financial Crime Risk Return will assist prescribed businesses in making an informed determination on future engagements and instructions. The following self-assurance questions are intended to assist firms’ considerations of their governance, risk and compliance controls for the identification, assessment, management, mitigation, and review and monitoring of ML, TF and PF risks: No. Question

1. Does the firm maintain adequate money laundering, terrorist financing, and proliferation financing business risk assessments which separately consider each of these risks and cover the risks specific to your sector as outlined in NRA2?
2. Do the firm’s existing policies, procedures, and controls map against all relevant areas of the Handbook on Countering Financial Crime (AML/CFT/CPF)? 2a. Are all customers subject to sanction screening? 2b. Do the firm’s policies, procedures, and controls cover counter proliferation financing controls?
3. Do customer risk assessments allow for consideration of risk factors to be documented to enable a full consideration of the identified risks and how these risks are mitigated? 3a. Do the firm’s policy and procedures on the application of enhanced measures require these to be taken on standard and low risk customers , in addition to high risk customers and explain the measures to be taken?

Page 30 of 31 4. Is there a policy for determining who the customer is within a given customer relationship and, in light of the guidance within this thematic, is this the correct person? 5. Is the ECDD undertaken, including the corroboration of SOF/SOW sufficient, and is there documented consideration of the risks posed? 6. Do the Board members/Partners have sufficient AML/CFT/CPF knowledge to enable them to oversee the firm’s compliance with Schedule 3 and the rules in the Handbook, for which they are responsible? 7. Where any aspects of compliance are outsourced, is sufficient oversight of these functions maintained and how does the management information from the outsourcing person support its effectiveness? 8. Does the firm have a well-reasoned process for determining whether a customer relationship is a business relationship or an occasional transaction? 9. Having reviewed the number of business relationships and occasional transactions reported by the firm within the Financial Crime Risk Return for the previous 3 years, considering the services offered by the firm and guidance within this thematic, is the firm satisfied that it is correctly categorising its customer engagements and has established a suitable periodic review process for those engagements which are business relationships? 10. Has the firm read and considered each of the Commission’s previously issued financial crime related thematic reports on: • Managing the Risks Posed by Politically Exposed Persons – 2023 • ML and TF Business Risk Assessments – 2022 • Sanctions – 2022 • Reporting Suspicion – 2021 • Source of Funds/Source of Wealth in the Private Wealth Management Sector – 202015 • Beneficial Ownership of Guernsey and Alderney Legal Persons - 2019 10a. Has the firm used any of the self-assurance questionnaires provided in these reports? 10b. Has the firm incorporated any good practice identified within these thematic reports or used these reports to address any of the poor practices identified by them? 15 Whilst based on the private wealth management sector, many themes and practices included in this thematic are applicable to all FSBs and prescribed businesses.

Page 31 of 31 Appendix: Activities Subject to Schedule 2 of the Proceeds of Crime Law Estate Agency Acting, in the course of business, on behalf of others in the acquisition or disposal of real property or any interest therein – (a) for the purposes of or with a view to effecting the introduction to the client of a third person who wishes to acquire or (as the case may be) dispose of such an interest, and (b) after such an introduction has been effected in the course of that business, for the purpose of securing the disposal or (as the case may be) the acquisition of that interest. Legal Services The business of a lawyer, notary, or other independent legal professional, when they prepare for or carry out transactions for a client in relation to the following activities – (a) the acquisition or disposal of an interest in or in respect of real property, (b) the management of client money, securities, or other assets, (c) the management of a bank, savings, or securities accounts, (d) the organisation of contributions for the creation, operation, or management of companies, or (e) the creation, operation, or management of legal persons or arrangements, and the acquisition or disposal of business entities. Accountancy Services The business of – (a) Auditor – any person who, by way of business, provides audit services pursuant to any function under an enactment (b) External Accountant – any person who, by way of business, provides accountancy services to third parties and does not include accountants employed by public authorities, or undertakings which do not by way of business provide accountancy services to third parties (c) Insolvency Practitioner – any person who, by way of business, provides services which include acceptance of appointment as an administrator, liquidator, or receiver under the Companies (Guernsey) Law 2008, the Limited Partnerships (Guernsey) Law 1995, or any other similar enactment (d) Tax Advisor – any person who, by way of business, provides advice about the tax affairs of other persons