How to Prepare for Regulator Supervisory Visits in Jersey
The Jersey Financial Services Commission (JFSC or the Commission) is currently undergoing a significant period of change, the need for which was highlighted in 2015 by Lord Eatwell (Chairman of the Commission). His vision was that of a regulator that could demonstrate itself as a listening and agile regulator. As part of this change program, the JFSC has recently introduced a revised supervision model. Currently, firms will be supervised by license and if a firm holds multiple licenses, this may mean several onsite examinations a year. Under the new regime, each firm will be risk rated by the Commission and supervised by one team and supervisor across all licenses.
What does the new supervision model mean for firms and how should they prepare? Whilst the approach to supervision may change and firms should prepare for this, the fundamentals of sound compliance risk management remain unchanged. A robust risk management framework, good governance and a sound compliance culture are paramount to meeting regulatory requirements and mitigating a firm’s exposure to regulatory risk and resulting financial and reputational implications.
Summarized below the key changes to the supervision model, what good practice compliance arrangements look like and how firms should consider preparing for the new format of supervisory visits.
How Supervision in Jersey is Changing
The JFSC’s newly revised supervision model (due for full implementation in 2017) aims to provide a consistent supervisory approach combined with an ongoing assessment of risk against the JFSC’s Guiding Principles set out in the Financial Services Commission (Jersey) Law 1998. Supervision teams are now categorized by entity as opposed to license, which means firms will have one point of contact with the regulator. The supervision teams’ efforts will be supported by a Central Support Unit, Risk Unit and a Supervisory Examination Unit.
The JFSC will focus its supervision based on a firm’s capacity to impact the supervisory objectives and Guiding Principles. Businesses that do not pose a material impact will engage with the regulator through outreach initiatives and thematic examinations.
The regulator will need to consider the new supervisory arrangements with developments seen by firms. As consolidation develops in the fiduciary industry, larger and smaller firms inevitably face different but related challenges, such as ensuring controls keep pace with growth and being able to absorb the higher costs of ever increasing expectations on compliance arrangements. Likewise, for investment businesses, suitability arrangements are coming under increased scrutiny by the regulator. Banks, that typically hold multiple licenses, will likely find themselves under enhanced supervision under the new regime.
As part of this, the JFSC recently issued a survey across the sector that will enable industry professionals to comment on the most serious risks the JFSC is to manage. This information will assist the JFSC to make an assessment of the risks and determine how the new model will develop. The JFSC will continually evaluate the effectiveness of the new supervisory model, adapting the regulatory approach and the direction of regulatory activities as it deems appropriate.
Key Focus Areas and Best Practice for Firms
This indicates a change in focus by the regulator from technical compliance with relevant standards to being more judgement risk-based. But what does this mean, in practical terms, for regulated firms in Jersey?
With full implementation of the model scheduled for next year, this is a timely opportunity for firms to undertake an assessment of the adequacy of their risk management and compliance arrangements to ensure that they still make the grade under the new regime.
The recent FSB and TCB onsite examination feedback provides a useful insight into the areas of focus of the regulator (read our news alert on the TCB findings and FSB findings). Whilst focused on TCB and FSB firms, the findings are still useful for other licensees. Summarized below are the key areas and what good practice looks like:
Both the FSB and TCB onsite examinations found that governance arrangements can be improved. Firms did not always demonstrate effective controls around management information and reporting to the Board, or holding infrequent Board meetings.
Best practice includes an appropriately constructed governing body (usually a Board and delegated functions to meaningful committees), an engaged Board and Non-Executive Directors and the receipt of clear and fit-for-purpose management information that supports effective challenge and reporting of compliance risks. Attendance by Compliance at Board level is the industry norm.
Both visits identified that the compliance function was not always adequately resourced and that compliance monitoring was not on schedule or not adequately reported.
Best practice includes ensuring that the compliance function is staffed according to the complexity of the business and the risk profile of the activities performed (see Business Risk Assessment below). Furthermore, an adequately designed, risk-based and bespoke monitoring program should be in place and resources allocated accordingly. Monitoring outputs are typically reported to a governing body on an exception basis and action taken is evidenced.
AML Arrangements and SAR Reporting
Some firms did not demonstrate adequate procedures around enhanced due diligence (EDD) or Suspicious Activity Reports (SARs). Specifically, it was found that SARs may not always reach the MLRO, the MLRO was not always sufficiently independent and decision making processes were subject to delay.
Best practice firms have clear and documented client take on procedures which are understood by staff, who are also aware of the reporting procedures for suspicious activities. MLROs in such firms have sufficient resources to conduct investigations on internal reports and clearly document the decision making process. Good practice firms also report variations in SAR statistics to a governing body where these are analyzed and discussed.
Business Risk Assessments
Although most firms regularly conduct Business Risk Assessments (BRAs), not all firms were found to adapt them to the firm’s specific risks and activities. This means that firms cannot demonstrate that their policies and procedures are appropriate to mitigate the firm-specific risks.
Best practice firms conduct “bottom up” and “top down” risk assessments, identifying business wide risks that are specific to the client base (on which there is statistical analysis), activities performed by the firm and the nature of the business. Policies and procedures are designed to mitigate these risks. This presents a challenge to firms as in theory, policies and procedures should dovetail with a BRA, but in reality, policies and procedures are put in place first. A review of policies and procedures based on BRAs can be time consuming and costly. In our experience, a review of policies and procedures on a phased schedule is the most practical and cost-efficient method of keeping them up-to-date and fit-for-purpose.
How Duff & Phelps can Assist
Backed by award-winning expertise, Duff & Phelps offers regulatory advisory services that provide an independent perspective on your regulatory risk to enable you to prepare for future regulator visits. Experience shows that preparing for an examination (both by compliance and senior management) often results in a positive examination result.
Our services include:
- Mock regulatory audits, pre-enforcement and supervisory reviews
- Support with on-site regulator visits, examinations and enforcement investigations
- Review of governance arrangements and senior management arrangements
- Thematic compliance reviews
- Annual and ongoing reviews of compliance arrangements, systems and controls
- Compliance and regulatory secondments to assist with temporary resource gaps
- Staff training on regulatory matters
- Policies and procedures development
- Compliance infrastructure advisory
- Advice on preparing for regulatory changes
- Regulatory update notifications
- Compliance monitoring