JFSC publish SUSPICIOUS ACTIVITY REPORTING [SAR] EXAMPLES OF GOOD PRACTICE [PART 2]

During 2023, the JFSC assessed five virtual asset service providers’ (VASPs) compliance with their statutory and regulatory obligations for suspicious activity reporting, including their relevant systems and controls. The JFSC also assessed the VASPs’ transaction monitoring systems and controls.

The findings may be at VASP firms, but all supervised persons can learn from the findings below.

EXAMPLES OF GOOD PRACTICE

The following details the JFSC findings and examples of good practice.

BOARD/SENIOR MANAGEMENT RESPONSIBILITIES

AREA OF FINDING

1. Board/senior management minutes did not sufficiently evidence discussion of the MLRO’s performance and the MLRO’s report

2. Insufficient consideration of the MLRO’s timeliness in acknowledging iSARs

3. Insufficient evaluation of any competing priorities impacting the MLRO function

4. Limited evidence of the board/senior management considering potential trends, levels, or risks emerging from SAR reporting

5. Minutes referred to a review of MLRO reports but did not evidence discussion and consideration of risks arising from an absence or increase in the level of SAR reporting in the period

6. Limited evidence in minutes of actions considering the MLRO reports, such as a review of training or evaluating any deficiencies in analysing transaction monitoring reports

7. No record of ownership timeframes, dates for completion or conclusions for actions

GOOD PRACTICE

8. Demonstrated consideration of the effectiveness of systems and controls and the quality of the reported management information.

9. The effectiveness of the MLRO and MLRO functions is assessed, including, but not limited to, whether the MLRO is dealing with SARs promptly.

10. Routine assessment of whether the other roles the MLRO fulfils impact their effectiveness and independence or give rise to conflicts.

11. Evidence in minutes of discussion/challenge/scrutiny and conclusions of the SAR information provided in MLRO reports.

12. Evidenced consideration of the levels/quality of SARs

13. Resulting action points and owners documented and tracked to completion.

14. Reports are not only “taken as read” or “noted” but evidence they are being discussed and considered in detail.

15. Evidence the board/senior management has undertaken separate training related to its reporting obligations.

16. Evidence the MLRO/DMLRO have been/continue to be trained on handling iSARs/eSARs, liaising with the Joint Financial Crime Unit/law enforcement and how to deal with the risk of tipping off

ISAR/ESAR PROCEDURES

AREA OF FINDING

1. Not communicating to employees, the identity of the MLRO (and any deputy MLROs) to whom an iSAR is made.

2. Not highlighting that reporting requirements extend to business relationships and one-off transactions that are declined.

3. Not stating that SARs must be made regardless of the amount involved in a transaction or business relationship.

4. The requirement for the MLRO to acknowledge any iSARs as soon as possible was not seen.

5. The requirement to record all iSARs and eSARs in a register must be seen.

6. Not documenting that the MLRO is required to inform the Jersey Financial Intelligence Unit where relevant information is discovered.

7. No established measures to prevent iSARs from being filtered by line management such that they do not reach the MLRO.

8. The requirement to record all eSARs in a register with the date of the report and information needs to be included to allow supporting evidence to be retrieved quickly.

GOOD PRACTICE

9. Clearly stating that reporting requirements extend to potential business relationships and declined one-off transactions.

10. Maintaining registers to record all declined business with a written explanation.

11. The declined register (and analysis) forms part of the MLRO’s board report

12. Where relevant information is discovered, highlighting the requirement to inform the Jersey Financial Intelligence Unit and also evidencing this in MLRO reporting to the board.

13. Procedures and training require that the MLRO or (or Deputy MLRO) acknowledge iSARs as soon as possible.

14. Timescales for acknowledging iSARs form part of the MLRO board report and are analysed to ensure acknowledgements are made as soon as possible.

15. iSARs are made in a set format.

16. iSARs fully explain the information or matter that gave rise to knowledge, suspicion, or reasonable grounds for knowledge or suspicion.

17. iSARs include the date the information or matter came to the employee’s attention.

18. iSARs include the date of submission of the iSAR.

19. iSARs include full details of the customer, transaction, or activity the supervised person holds on its records.

20. The tipping-off provisions are covered in detail in procedures and written in a way that employees can easily understand.

TRAINING

AREA OF FINDING

1. Materials not tailored to the activities and risks of the supervised person.

2. Failing to adequately cover relevant Jersey AML/CFT/CPF obligations, including relevant mandatory sanctions legislation and responsibilities and requirements about connection pertinent to an enhanced risk state.

3. Adequate arrangements need to be implemented to test the effectiveness of employee training and awareness.

4. Procedures incorrectly interpret Article 4 of the Money Laundering (Jersey) Order 2008 and, therefore, incorrectly waive due diligence for one-off transactions of at most 15,000 euros.

5. Where third-party training providers are used, instances of inaccurate references do not reflect Jersey’s AML/CFT/CPF regime.

GOOD PRACTICE

6. Relevant to an entity with specific examples of ML/TF/PF case studies, red flag warnings, examples of unusual activity, and customer profiling to identify unusual transactions.

7. Separately covering TF and PF as well as ML risks and prevention, with explanations of the differences between the three

8. Case studies should be included to highlight the obligation of employees to report, the potential consequences of failing to report, and the importance each employee has in preventing and detecting financial crime.

9. Explaining risk appetite, business risk assessment and financial crime strategy and how these link to risk mitigation procedures.

10. Where a third-party training solution is used, assess it to ensure it complies with the statutory and regulatory regime in Jersey, including a gap analysis to identify and address any deficiencies or inaccuracies.

11. Including financial sanctions in the training plan, with those who fail to achieve a minimum pass score in this area provided with additional training and reassessed.

12. Analysing test answers to identify any areas with a lower level of understanding, which then informs future training.

13. Consider the guidance notes in Section 9 of the Handbook and reference JFSC examination feedback papers.

TRANSACTION MONITORING

AREA OF FINDING

1. Procedures not referencing monitoring to determine relevant connections to an enhanced risk state.

2. There is no reference to the monitoring tool’s (Blockchain analytics or similar) coverage, including how often the system is updated or any limitations.

3. Policy not fully demonstrating compliance with the Money Laundering (Jersey) Order 2008

4. Policy not reflecting the Handbook’s requirement of appropriate and consistent policies and procedures for the identification and scrutiny of transactions.

5. Lack of procedures for identifying complex or unusually large transactions, unusual patterns of transactions with no apparent economic or visible lawful purpose, and any other activity which may be related to the risk of ML/TF/PF

6. Insufficient evidence that transactions are scrutinised for notable or unusual activity.

7. There needs to be more evidence of the measures to identify notable or unusual activity.

8. Insufficient evidence of the extent of examination and analysis of the monitoring outputs, exception reports and alerts

GOOD PRACTICE

9. Detailed transaction monitoring procedures maintained, which show the blockchain analytics solution used.

10. Documented evidence of understanding how the system works, including any limitations (and how these are managed)

11. Systems tailored to the business.

12. Systems facilitate users applying additional judgement and experience in recognising unusual transactions and activity - particularly important when transactions are made in virtual assets.

13. Procedures reference the monitoring undertaken to determine a relevant connection to an enhanced risk state and the associated training required for employees.

14. Facilitates the application of additional judgement and experience to recognise unusual transactions and activity. This is particularly important when transactions are being made in VAs.

15. Transaction monitoring procedures reference the monitoring undertaken to determine a relevant connection to an enhanced risk state and the associated training required for employees.

16. Evidence exists detailing how the transaction monitoring system works.

17. Assessments are undertaken when the system is changed.

18. Detailing the extent of the coverage/any limitations

19. Detailing who or what is monitored, including details of the external data sources.

20. Detailing how the system is used to identify unusual activity.

21. Detailing how the outputs, exceptions reports and alerts are analysed.

PART 1 = JFSC publishes SUSPICIOUS ACTIVITY REPORTING [SAR] examination feedback.

During 2023, the JFSC assessed five virtual asset service providers’ (VASPs) compliance with their statutory and regulatory obligations for suspicious activity reporting, including their relevant systems and controls. The JFSC also assessed the VASPs’ transaction monitoring systems and controls.

These findings may be at VASP firms, but all supervised persons can learn from the findings below.

The JFSC identified four critical areas for improvement.

1. Corporate governance - board and senior management responsibilities
1. - Section 2 of the Handbook.
2. Internal suspicious activity report (iSAR) and external suspicious activity report (eSAR) procedures
1. – Sections 8.3.1 and 8.3.2 of the Handbook.
3. Training
1. - Section 9 of the Handbook.
4. Ongoing monitoring
1. - Section 6 of the Handbook.

The details are

1. Corporate governance - board and senior management responsibilities
1. Several findings related to board/senior management responsibilities and demonstrating effectiveness of systems and controls related to suspicious activity reports (SARs), including:
   1. Limited evidence that the board/senior management had given adequate consideration to potential trends, levels, or risks emerging from SARs
   2. The minutes do not sufficiently provide a discussion relating to the money laundering reporting officer’s (MLRO) function.
   3. Limited evidence to show that MLRO’s reports had been discussed and/or challenged by the board/senior management.

2. Internal suspicious activity report (iSAR) and external suspicious activity report (eSAR) procedures
1. Several findings related to the completeness of iSAR and eSAR procedures, including:
   1. Not highlighting that reporting requirements extend to business relationships and one-off transactions that are declined.
   2. Not including that SARs must be made regardless of the amount involved in a transaction or business relationship.
   3. The requirement for the MLRO to acknowledge any iSARs as soon as possible must be included.

3. Training.
1. Several findings related to the adequacy of training procedures, including:
   1. Training not tailored to the supervised person’s business and ML/TF/PF risks.
   2. Failure to cover relevant Jersey obligations.
   3. Third-party training solutions with inaccurate references to Jersey’s AML/CFT/CPF regime

4. Ongoing monitoring
1. Several findings related to the adequacy of the systems and controls for ongoing monitoring and scrutiny of transactions, including:
   1. Transaction monitoring procedures that did not refer to the coverage and limitations of monitoring tools (Blockchain analytics or similar)
   2. The frequency with which the system is updated.

Action

5. Supervised persons should also consider other relevant examination findings and questionnaires on the JFSC’s website and related papers, such as the role of the MLRO.
1. https://www.jerseyfsc.org/industry/examinations/examination-findings-and-questionnaires/
2. https://www.jerseyfsc.org/industry/visits-and-examinations/themed-examination-role-of-money-laundering-reporting-officer/
6. Where supervised persons identify any deficiencies in systems and controls, we expect them to:
1. Prepare a remediation plan and discuss this with their supervisor, referring to the JFSC guidance on remediation action plans
   1. https://www.jerseyfsc.org/news-and-events/guidance-on-remediation-action-plans/

2. Consider the notification requirements under the AML/CFT/CPF Code of Practice set out in Section 2.3 of the Handbook and the relevant Code of Practice on dealing with the JFSC openly and cooperatively
   1. https://www.jerseyfsc.org/industry/financial-crime/amlcftcpf-handbooks/amlcftcpf-handbook/

3. Remedy any identified matters in the manner set out in the remediation plan agreed with their supervisor
4. Consider what assurance activities may provide comfort to the board and senior management that deficiencies identified have been addressed effectively

Source

https://www.jerseyfsc.org/industry/examinations/2023-virtual-asset-service-providers-suspicious-activity-reporting-examination-feedback/