REGULATOR ACTIONS AND THE LESSONS EMERGING

Regulatory action is on the rise, and this across all sectors. High quality governance and risk management are without question the key elements to mitigating the potential for regulatory failure and these need to be the priority of all boards.


Regulators are taking increasing levels of action against licensed firms.


They are also taking to publishing their findings and reasoning in more and more detail.


It doesn't really matter which industry you are in:

Financial Services

Manufacturing

E-gambling

Education and immigration


The result is the same, more visits, more remediation, more enforcement.


Is this because more firms are breaching requirements, or is it simply that regulators are choosing to take more action?


In my series looking at this, and what we can learn, here is my take on the direction of travel in Guernsey's financial services, however the learning points are equally relevant across industries.


The Guernsey Financial Services Commission (GFSC) has issued a number of Public Statements on organisations over the last three years and there are more to come following recent announcements.


Standard Chartered Trust (Guernsey) Limited - not yet published

Global Insurance Group Limited - not yet published

Criteria Wealth Management Limited

Louvre Fund Services Limited (2019)

Certes Capital Limited

Louvre Trust (Guernsey) Limited

Vida Financial Services Limited

Richmond Fiduciary Group Limited

Blenheim Fiduciary Group Limited

Capital Solutions Limited et al

Marlborough Trust Company Limited et al

Louvre Fund Services Limited (2016)

Bordeaux Services (Guernsey) Limited

Guernsey Insurance Brokers Limited

Provident Trustees (Guernsey) Limited


We can learn a huge amount from reflecting on these statements as a collective.


Observing the trends that emerge and any direction that the GFSC might be moving in its approach to regulation and enforcement.


Here, I reflect on these cases, drawing out the themes and putting forward some key learning points and possible actions that could be considered by any regulated entity.


There are a number of different types of visit and in my review, these are the types mapped against those that have then reached enforcement. Of course, some entities were visited more that once with different types of visit before action was taken, and these have been factored in.


Ratio of enforcement vs visit


Financial Crime 6

Supervisory 9

Thematic Review 5

Engagement 0

External Events 6


What's interesting here, is the actually surprising number arising from Supervisory visits. In my conversations with organisations, there has been a view that enforcement has been preceded largely by a financial crime visit and this should, therefore, be taken more 'seriously' than those from the 'friendly' supervisory team. The data suggests otherwise.


Key themes arising from these Statements:


Conducting unlicensed business

This ranges from not identifying NRFSBs to the conduct of unlicensed investment and fiduciary activities.


Insufficient procedures and controls

Principally targeted on absence in the AML/CFT arena, however sometimes this extends into conduct matters such as customer management and suitability assessment.


Evidence of failure of procedures and controls

This is almost exclusively in the AML/CFT area, and I suggest this is because it is easier to identify and 'pin down' than other failures.


Failure to carry out sufficient due diligence

Specifically in the AML/CFT space because it clearly relates to the requirements to identify and then verify the identity of your customers, however expect this to extend into the source of funds and wealth space in the very near future.


Director incompetence, specifically in the oversight of compliance

Whilst I have not included a specific review here of the action taken against Directors and Officers, I have brought this in as it's a theme arising from the organisational Statements in their own right.


Here there is a clear connection between regulatory failure and the oversight of the board. Most notably, this occurs around internal compliance, however expect future sanctions to include oversight of third-party outsourced compliance.


Failure to keep adequate records

This focuses most often in relation to aspects of financial crime compliance, however does extend into corporate governance aspects such as minute taking, company records and other aspects such as outcomes from compliance monitoring programmes.


Failure in conduct towards customers

These cases tend to arise from action following an external event, such as involvement of another regulator or customer complaints, however there are also cases related to internal failures, such as controls around fee pricing and charging.


So,

Whilst the areas of concern may look fairly obvious, what's interesting to me is the diverse nature of these failings. This indicates to me that financial services businesses are not struggling with one particular aspect of their compliance with regulation, but many.


This aligns with my view that compliance is not a function in itself, but a product of two key elements:


Governance, and

Risk Management


When I say governance here, I don't mean corporate governance. This is a rather limited and possibly in my view rather ineffective expression of governance. Here I am talking about overall governance of an organisation, comprised of the three overarching aspects of:


Decision-making

Implementation, and

Culture.


This 'governance' needs to be embedded throughout an organisation, not just an action from senior executives. It is 'hard' to implement and get right. It requires persistence, consistency and resilience from the board and senior management and needs to involve the entire spectrum of employees and other stakeholders.


Risk management here is specifically focused at regulatory risk management, but can equally be applied in other domains.


It needs to be robust, clear in its approach and involve all stakeholders. This cannot be a 'function' purely 'left to compliance'. The ownership of this needs to be spread across and throughout the organisation, with each domain and each person understanding the risks 'they own'.


In summary,


1. The regulatory action being undertaken by the GFSC is increasing and there seem no abatement on this. Certainly the message coming out from the regulator itself is that it will get tougher on regulated businesses that continue to demonstrate 'poor compliance'.


2. The origins of action do not exclusively come from failures in financial crime compliance, but from a wide variety of areas within a business. Directors need to ensure that they do not become too focused on financial crime compliance at the expense of other areas.


3. The regulator is clear that ownership of failure sits with the board and officers. Expect more scrutiny and higher fines and numbers of sanctions against individuals in the coming 18-months.


4. Oversight of compliance internally is important, but the regulator is also keen to ensure that this extends to third-party provision of compliance services. Expect action against those that fail to have sufficient oversight and challenge of these services.


5. Compliance is not a thing that is done by anyone or any function. Compliance is an outcome. Compliance is a product. A product of doing two things really well,


Governance and risk management.


Think hard about this.


It needs to be in your strategy.

It needs to be top of your board's agenda.

You need to understand this.


"...moving organisations towards better governance"

© 2020 by Perrin Carey