JFSC examinations feedback - suspicious activity reporting obligations – findings and best practice

As reported last week by Comsure, the JFSC issued a feedback paper on the theme of suspicious activity reporting (SAR) obligations.

• https://www.comsuregroup.com/news/jfsc-examination-feedback-on-dnfbp-sar-obligations-accountants-online-casino-estate-agents-and-lawyers/

By way of background:-

• In 2023, a thematic examination was conducted on 20 designated non-financial businesses & professions (DNFBPs), and
• The JFSC highlighted the following findings and expected best practices.

FINDINGS AND EXPECTED BEST PRACTICES.

FINDINGS = BOARD/SENIOR MANAGEMENT RESPONSIBILITIES

1. Board/senior management minutes relating to compliance/MLRO reports contained either limited references or were “taken as read” or “noted.”
2. Board/senior management minutes did not include discussion and challenge of the management information provided by the MLRO in their reports.
3. Inadequate consideration and assessment in board/senior management minutes of low levels or absence of internal suspicious activity reports (iSARs)
4. Inadequate consideration and assessment of testing outcomes in board/senior management minutes, such as testing employee awareness.
5. Lack of regular assessment of the MLRO function and fulfilment of role obligations
6. Inadequate consideration and assessment of where the MLRO fulfils multiple roles that may impact their effectiveness or give rise to conflicts.
7. Inaccurate job descriptions and procedures relating to the role of the MLRO, with confusion between the specific responsibilities of an MLRO and those of an MLCO - the MLRO and the MLCO may be the same person, but the role responsibilities are separate and specific.

GOOD PRACTICE = BOARD/SENIOR MANAGEMENT RESPONSIBILITIES

1. Board/senior management minutes evidence discussions about MLRO reports, including challenge and scrutiny of the information provided.
2. Documented consideration of the levels/quality of SARs, including any resulting action points and who is responsible, which are tracked to completion.
3. Board/senior management minutes demonstrate routine monitoring of the performance of the MLRO/DMLRO and ensure SARs are handled appropriately and consistently.
4. Board/senior management periodically considers the MLRO reports, and the time taken between information of a matter coming to an employee’s attention and the date of the iSAR.
5. Board/senior management minutes detail routine assessment of whether the other roles the MLRO fulfils impact their effectiveness and independence or give rise to conflicts.
6. An accurate job description setting out the role and responsibilities of the MLRO, which include receiving and considering iSARs following internal reporting procedures.
7. The difference between the MLRO and MLCO responsibilities is delineated, with the MLCO, and not the MLRO, responsible for conducting business risk assessments, monitoring updates to policies and procedures, reviewing customer due diligence /enhanced due diligence and monitoring customer activities.

FINDINGS =- ISAR/ESAR PROCEDURES

1. Systems and controls did not include measures to ensure iSARs were not filtered by line management, preventing submission to the MLRO.
2. Internal reporting procedures did not establish the importance of making an iSAR as soon as practicable.
3. Procedures did not include the identities of the e MLRO (or deputy MLRO)
4. Procedures did not include arrangements for disciplining an employee who fails to make an iSAR without a reasonable excuse and as soon as practicable.
5. iSAR procedures did not include the requirement for the MLRO to formally acknowledge receipt of the iSAR to the member of staff who had submitted it
6. Procedures did not remind employees making iSARs of the risk of committing a tipping-off offence.
7. The MLRO (or deputy MLRO) had not documented all enquiries made about each iSAR
8. The MLRO (or deputy MLRO) had not documented the basis and rationale for externalising or not externalising a SAR to the FIU
9. The MLRO (or deputy MLRO) had not considered the requirement to update the Jersey FIU where more information is discovered following the initial submission.
10. iSAR reporting procedures did not extend to potential business relationships and declined transactions, so the board/senior management was unaware of the number of potential clients which had been declined.
11. Supervised persons had not maintained SAR registers.
12. Supervised persons had not maintained a procedure requiring the MLRO (or Deputy MLRO) to record all iSARs and eSARs in a register.
13. iSARs did not contain the date the information or matter came to the employee’s attention and the date of submission to the MLRO.
14. iSARs did not contain as full a statement as possible on the information or matter giving rise to the knowledge, suspicion, or reasonable grounds for knowledge or suspicion.
15. iSARs did not contain the identity of the individual who made the iSAR and in what capacity.
16. iSARs did not include full details of the customer and transaction activity that the supervised person holds on record.
17. SAR procedures suggested that the value of the one-off transaction or business relationship would be a factor in determining whether an iSAR/eSAR should be submitted.
18. procedures and the iSAR form only required reporting suspicion relating to "existing criminal property."

GOOD PRACTICE = ISAR/ESAR PROCEDURES

1. Procedures and employee handbooks emphasise that the decision to report is the employee's personal liability and not the line managers.
2. Employment contracts and handbooks set out that iSARs should be made to the MLRO as soon as practicable and include the identity of the MLRO.
3. Employee handbooks set out the disciplinary sanctions for failing to report knowledge, suspicion, or reasonable grounds for knowledge and suspicion, without reasonable excuse, or for failing to report as soon as practicable.
4. The MLRO’s report includes a detailed activity timeline from the date the internal SAR is received and acknowledged until its conclusion and clearly articulates the reasons for any delays.
5. Tipping-off provisions are covered in detail in procedures and are easy for all employees to understand.
6. Procedures include reminding employees of the risk of committing a tipping-off offence.
7. The MLRO provides a detailed rationale for externalising or not externalising the iSAR.
8. Registers record all declined business, with a written explanation of why the business relationship or one-off transaction was declined.
9. The declined business register and analysis form part of the MLRO’s board/senior management report
10. SAR procedures should include that iSARs are to be considered regardless of the amount involved.
11. The iSAR form should include that any property can constitute or represent proceeds of criminal conduct.

FINDING = TRAINING

1. The board/senior management could not provide evidence that the effectiveness of their training had been assessed.
2. The board/senior management could not provide evidence that employees understood their AML/CFT/CPF requirements.
3. Training was not tailored to the supervised person and the specific employee, such as the MLRO.
4. In some instances, sole traders had undertaken insufficient training on key aspects of Jersey legislation to prevent and detect ML/TF/PF
5. Supervised persons could not provide evidence that training had been delivered covering key aspects of AML/CFT/CPF legislation.
6. Supervised persons were unable to provide evidence that training highlighted to employees the importance of their individual contribution to the prevention and detection of ML/TF/PF

BEST PRACTICE = TRAINING

1. The MLRO can evidence practical training for employees, including step-by-step scenario exercises where a fictional customer proposes a new piece of business, and employees navigate submitting an iSAR.
2. Training is relevant to the entity, with specific examples of ML/TF/PF case studies, red flags, examples of unusual activity, and customer profiling to identify unusual transactions.
3. Training includes case studies to highlight the obligation of employees to report, the potential consequences of failing to report, and the importance of each employee in preventing and detecting financial crime.
4. Training procedures include explanations of risk appetite, business risk assessment, and financial crime strategy, and how these are linked to procedures to mitigate risks.
5. Where a third-party training solution is used, it is assessed to ensure it accurately complies with the statutory and regulatory regime in Jersey, including a gap analysis to identify and address any deficiencies or inaccuracies.
6. Financial sanctions are included in the training plan.
7. Employees who fail to achieve a minimum pass score in financial sanctions are provided additional training and reassessed.
8. Test answers are analysed to identify areas with a lower level of understanding and used to enhance future training.
9. Training considers the guidance notes in Section 9 of the Handbook and references JFSC examination feedback papers.

ACTION REQUIRED

1. The JFSC expect boards and senior management of all DNFBPs, not just those subject to this examination, to now:
1. Consider the findings and best practices highlighted in this feedback against their arrangements.

2. Make changes to their systems and controls if they identify any areas for development.

3. Ensure that their business is complying with all relevant statutory and regulatory requirements concerning the completeness of their suspicious activity reporting systems and controls, including, but not limited to, Article 21 of the Order and Sections 8.3.1 and 8.3.2 of the Handbook

4. Consider the effectiveness of systems and controls and of the quality of the management information being reported, as set out in Section 2 of the Handbook
5. Demonstrate that employees receive adequate and appropriate training tailored to the specific business as set out in Section 9 of the Handbook
2. Supervised persons should also consider referring to other relevant examination findings and questionnaires on the JFSC’s website and related papers, such as the role of the MLRO.
3. In future planning, the JFSC will consider repeating this thematic examination to test whether DNFBPs have taken on board the guidance set out in this feedback and whether the compliance rates have improved.

SOURCE

https://www.jerseyfsc.org/industry/examinations/examination-findings-and-questionnaires/2023-designated-non-financial-businesses-and-professions-suspicious-activity-reporting-obligations-feedback/