Public statement concerning the imposition of a Civil Penalty under section 37 of the Insurance Act 2008 - Citadel Insurance Company Limited (“Citadel”)
Public statement concerning the imposition of a Civil Penalty under section 37 of the Insurance Act 2008 -
Citadel Insurance Company Limited (“Citadel”)
1.1 The Financial Services Authority (the “Authority”) makes this public statement in accordance with powers conferred upon it under section 35(1)(a) of the Insurance Act 2008 (the “Act”)
1.2 This action supports the Authority’s regulatory objectives of reducing financial crime and maintaining confidence in the Island’s financial services industry.
1.3 An investigation into Citadel by the Authority identified a number of regulatory failings and the Authority has deemed it necessary and proportionate that, in all the circumstances, Citadel be issued with a discretionary civil penalty under section 37 of the Act in the total sum of £3,100 discounted by 30% to £2,170 (the “Civil Penalty”).
1.4 The level of the Civil Penalty reflects the fact that Citadel has co-operated with the Authority and agreed settlement at an early stage, employing the Authority’s Enforcement Decision-Making Process (“DMP”).
1.5 The penalty, imposed at Level 2, further reflects the fact that:
1.5.1 Citadel’s failings were both systemic and long-standing.
1.5.2 Citadel has already taken substantial steps to remediate the failings identified in this public statement.
1.5.3 Citadel has proactively engaged a professional third party to report on the progress of its remediation.
2.1 Citadel is authorised by the Authority in accordance with section 6 of the Act to undertake regulated insurance business.
2.2 In May 2019 the Authority undertook an investigation in respect of Citadel to consider whether Citadel continued to satisfy the Authority that it was ‘fit and proper’ to be registered under the Act (the “Investigation”) in accordance with its statutory powers under Schedule 5 of the Act, which includes the power to investigate compliance with AML/CFT requirements within the meaning of the Anti-Money Laundering and Countering the Financing of Terrorism Code 2015 (the “Code”) and the Corporate Governance Code of Practice for Regulated Insurance Entities (“the CGC”). To be registered under the Act, a person is required to satisfy the Authority that, inter alia, it is a fit and proper person and that its controllers, directors and chief executive (if any) are fit and proper persons. This ‘test’ is an initial test at authorisation and registration and is an ongoing one.
3. Investigation conclusions
3.1 The Investigation identified a range of issues in relation to Citadel’s compliance with both the Code and the CGC which, on reasonable grounds, brought into question Citadel’s fitness and propriety.
3.2 Amongst those matters established were that:–
3.2.1 Contrary to the Code, Citadel was unable to evidence that it had been undertaking customer risk assessments for large periods of time and that those in more recent times were inadequately documented.
3.2.2 Contrary to the Code, Citadel had failed to undertake a formal technological risk assessment.
3.2.3 Contrary to Part 4 of the Code, Citadel failed to evidence appropriate arrangements to effectively monitor customer and business relationships on an ongoing basis.
3.2.4 Contrary to paragraphs 14 and 15 of the Code, Citadel failed to evidence that it was operating appropriate procedures and controls in respect of or monitoring higher risk clients and/or clients who were/are politically exposed persons.
3.2.5 The absence of suitable arrangements detailed above further constitutes a number of breaches of the regulatory requirements imposed on regulated insurance entities by way of the CGC.
3.3 The matters above were aggravated due to the long-standing period of time over which non-compliance occurred and because a number of the matters identified by the Authority had previously been reported to Citadel by its control functions.
3.4 Notwithstanding these findings, the Authority has concluded that, in all the circumstances, apart from the Civil Penalty, no further regulatory sanction is necessary and therefore Citadel remains authorised to carry on undertaking regulated insurance business.
4.1 The Authority is satisfied that the imposition of the Civil Penalty to Citadel reflects the serious nature of the regulatory failings identified and that this public statement will encourage others to comply with the legal and regulatory requirements and obligations that are fundamental to the conduct of business in the regulated insurance sector.
4.2 In accordance with the DMP, Citadel entered into settlement discussions with the Authority and, having accepted the Investigation conclusions, sought to finalise matters expeditiously. The Authority acknowledges and welcomes Citadel’s co-operative approach and believes that this is a further positive endorsement of the DMP.
5. Cooperation and Remediation
The Authority is satisfied that Citadel cooperated fully and engaged positively with the Authority’s regulatory enforcement action. Citadel took the first opportunity to engage in the Authority’s DMP and settlement procedure. Citadel demonstrated that:
5.1 at the time of the Investigation, Citadel had already commenced a review of its procedures in relation to all its clients;
5.2 at the time of the settlement, Citadel had already implemented new procedures which addressed the failings which had resulted in the imposition of this Civil Penalty; and
5.3 at the time of the settlement, Citadel had engaged a professional third party, at its own expense, to undertake a wholesale review of its control environment. The report of the third party will be provided to the Authority.
6. Key Learning Points for Industry
- Compliance with the Code is mandatory not optional.
- Non-compliance with the Code increases the risk that a regulated entity’s products and services could be exploited by those who would wish to launder money or finance terrorism.
- The Board of a regulated entity should have appropriate regard to (a) the reports and concerns of their control functions and (b) their overriding obligations to operate the business in compliance with its legal and regulatory obligations.
- A regulated entity should closely monitor the effectiveness of its risk and compliance functions and in particular how it ensures that the control processes established by the board are operated.
- The Authority expects the Board of a regulated entity to establish and foster a culture which reflects the importance of compliance with regulatory requirements.
- Citadel were proactive in responding to the concerns identified by the Authority and retained the services of a third party consulting firm to support Citadel in addressing its shortcomings and establishing and implementing a robust operational framework moving forward. The use of suitable independent professional resources to both address shortcomings and provide suitable validations to the Authority has enabled the Authority to conclude its investigation of Citadel.
- A regulated entity, having promptly and voluntarily entered into candid and open dialogue with the Authority, may, at the sole discretion of the Authority, receive a financial, or other regulatory sanction, rather than necessarily facing criminal prosecution if found by the Authority to have contravened the Code.