Guidelines on Establishment of Internal Controls by Service Providers

Vol. CXLV MONDAY, AUGUST 15, 2022 No. 265B The following Notification is, by command of His Excellency the Governor-General, published for general information. CLAUDINE HEAVEN, JP (MRS.) Governor-General’s Secretary and Clerk to the Privy Council. GOVERNMENT NOTICE 1152D 1 MISCELLANEOUS JAMAICA GAZET T E EXTRAORDINARY THE

1152D 4 THE JAMAICA GAZETTE EXTRAORDINARY [AUGUST 15, 2022 RCTS-GUI2022/06-0009 GUIDELINES: ESTABLISHMENT OF INTERNAL CONTROLS BY SERVICE PROVIDERS LEGISLATIVE REFERENCES : The Trust and Corporate Services Providers Act, 2017 Section 6(4)(d) The Trust and Corporate Services Providers (Licensing and Operations) Regulations, 2022 — Regulation 5

1. PURPOSE 1.01 Section 6(4)(d) of the Trust and Corporate Services Providers Act, 2017 (the “TCSP Act”) provides that, if a licence is granted to a corporate service provider or trust service provider, the licensee must comply with the standards set out in the Second Schedule and the guidelines issued from time to time, by the Financial Services Commission (the “FSC”). Further, section 46 of the TCSP Act empowers the FSC to issue guidelines in respect of the standards to be observed and the measures to be implemented by trust and corporate services providers in connection with their obligations under the Act. 1.02 These guidelines set out what is expected of a corporate and trust service provider and their staff concerning the establishment of internal controls; and seek to assist licensees under the TCSP Act in respect of their obligations under paragraphs 2(3) and 4(2) of the Second Schedule and regulation 6 of the Trust and Corporate Services Providers (Licensing and Operations) Regulations, 2022 to maintain adequate systems of control, and to develop and maintain policies, and procedures about its obligations under the TCSP Act as service providers. 1.03 These guidelines are issued under section 46 of the TCSP Act. Licensees under this Act should have regard to section 46(5) of the TCSP Act which provides that: “A person who fails to comply with any guidelines issued pursuant to this section, commits an offence and is liable to summary conviction in a Parish Court to a fine not exceeding one hundred thousand dollars or to imprisonment for a term not exceeding one month.” 1.04 There may be other general obligations on service providers to maintain appropriate records and systems of control more widely concerning their business. These guidelines are therefore not intended to replace or interpret such wider obligations, if any.
2. GENERAL AND LEGAL OBLIGATION 2.01 A service provider is required to conduct its business in a prudent manner, by maintaining adequate accounting and other records of its business, have adequate systems of control and develop policies and procedures regarding its obligations under the TCSP Act as well as any other enactment. Moreover, a service provider also has an obligation to carry on its activities in a manner that will not bring Jamaica’s reputation into disrepute. In so doing it must maintain adequate systems to assess the risks of its business and develop and maintain policies and procedures pertaining to its obligations under this Act and any other enactment. 2.02 A service provider’s policies, procedures, and controls must be proportionate with regard to the size and nature of its business and must be approved by its senior management and kept under regular review. A written record of the policies, procedures and controls must be maintained. 2.03 A service provider must implement systems and controls that enable it to identify, assess, monitor, and manage the risks to which its business is exposed. Those systems and controls will vary by service provider depending on the nature and characteristics of the business. The factors which inform the extent of the systems and controls include: • the nature, scale, and complexity of the service provider’s business; • the diversity of the service provider’s operations; • the degree of risk associated with each area of its operation; • the degree to which outsourcing is done. 2.04 Where appropriate, having regard to the size and nature of its business, a service provider must: (i) establish an independent internal audit function with the responsibility to examine and evaluate the adequacy and effectiveness of the policies, procedures, and controls adopted by the licensee to comply with the requirements of the TCSP legislation and other relevant enactments. (ii) The internal audit function that is established should: (a) make recommendations about those policies, procedures, and controls. (b) monitor the service provider’s compliance with those recommendations and ensure that when any innovative technology is implemented by the service provider, appropriate measures are taken to assess, and if necessary, mitigate, any attendant risks this may cause. 2.05 A service provider must establish and maintain systems that enable it to respond fully and quickly to queries from the FSC and other competent authorities.

AUGUST 15, 2022] THE JAMAICA GAZETTE EXTRAORDINARY 1152D 5 2.06 A service provider’s systems and controls should cover senior management accountability, including the allocation to a director or other senior manager of overall responsibility for the establishment and maintenance of effective systems and controls which should also address appropriate: (i) documentation of the service provider’s risk management policies and risk profile as well as changes in its business profile; (ii) training of staff; (iii) provision of regular and timely information to senior management. 2.07 Where a service provider outsources any of its systems and controls and/or processes to other persons within its group of companies or a third party, whether in Jamaica or other jurisdictions, this brings an additional dimension to the risks that the service provider faces which must be actively managed. Outsourcing of functions can lead to an increase in the risk of the service provider therefore the service provider should assess the risks associated with the outsourced functions, record the assessment, and monitor the risk on an ongoing basis. A service provider must obtain assurance that the entity to whom any system or control and or processing has been outsourced meets the standards or requirements set out in these guidelines and other relevant guidelines issued by the FSC. 2.08 It should be noted that a service provider cannot contract out of its statutory responsibilities. Consequently, a service provider remains responsible for systems and controls in relation to the activities outsourced, whether within Jamaica or to another jurisdiction. Given the foregoing, a service provider must therefore ensure that the person to which anything has been outsourced has in place satisfactory systems, procedures, and controls; and that those policies and procedures are kept up to date to reflect changes in Jamaica’s requirements. 3. RISK- BASED APPROACH TO INTERNAL CONTROLS 3.01 Once a service provider has identified and assessed the risks it faces senior management must establish and maintain policies, procedures, and controls to mitigate and effectively manage the identified risks to which the business is exposed based on the risk assessment it has done. These policies, procedures, and controls should be designed to provide an effective level of mitigation using a risk-based approach buttressed by robust mechanisms to ensure compliance, the identification of weaknesses, and the implementation of measures to effect improvements wherever necessary. 3.02 Implementation of a risk-based approach to internal systems of control will depend on the operational structure of the service provider. For example, a service provider that has a single business will need a different approach from one that operates through multiple business units or branches. 3.03 Senior management should decide on the appropriate approach in light of the service provider’s structure. 4. MONITORING EFFECTIVENESS OF CONTROLS 4.01 A service provider must undertake regular assessments of the adequacy of its systems and controls to ensure its business risks are effectively managed. 4.02 Having regard to the size and nature of its business, where appropriate a service provider must establish an independent internal audit function with responsibility for: • examining and evaluating the adequacy and effectiveness of the policies, procedures, and controls used by the licensee; • making recommendations concerning those policies, procedures, and controls; • monitoring the service provider’s compliance with those recommendations. 4.03 The effectiveness of systems and controls is therefore driven by a combination of factors, including: • ensuring that policies and procedures reflect current legal and regulatory developments and requirements; • the adequacy of resources available; • trained staff, who are up to date with current developments; • having appropriate monitoring processes, with timely follow-up of findings; • appropriate monitoring of outsourced arrangements; • having appropriate quality control/internal review processes; • appropriate management information made available to senior management and those with supervisory responsibilities; • the work of any internal audit function; • record-keeping policies, practices and systems that are adequate. Questions regarding these guidelines may be directed to the: Registration, Corporate & Trust Services Division The Financial Services Commission 39-43 Barbados Avenue Kingston 5 Telephone: (876) 906-3010, (876) 818-0647 Facsimile (876) 906-3018 E-mail: Registration@)fscjamaica.org