The Authority’s AML/CFT Update Webinar - 1 March 2021 – watch the video, download the slides and read the Q&A responses
Watch the recent update from Andrew Kermode and Ashley Whyte here
Copies of the slides shown within the webinar can be found below:
Questions raised at the Authority’s AML/CFT Update Webinar - 1 March 2021
This document responds to questions raised by participants attending the Authority’s Anti-Money Laundering / Countering the Financing of Terrorism (AML/CFT) webinar.
When is the next MoneyVal assessment?
As explained in the webinar, although the Island’s technical compliance ratings can be re-rated by way of a desk based review; in order to re-assess the immediate outcomes relating to effectiveness we need to have an on-site follow up inspection.
At present we do not know when this will be, as timescales of assessments have slipped with both FATF and FATF-style regional bodies due to Covid-19, as well as lack of resources. In the meantime, the IOM government has published its own summary of progress made in relation to our recommended actions which entities may find useful. The report is available here.
Findings from the AML/CFT Returns
Participants were interested in the results of the AML/CFT Returns and asked
- Why outsourcing elements of AML type services increases risk?
Generally, we consider that outsourcing processes or functions can inherently increase the risk of something going wrong as management are not directly in control of that risk. Outsourcing can also add complexity to operational arrangements relating to AML/CFT. It is therefore important that, when an entity outsources material processes or functions, strong control mechanisms are in place such as clarity on responsibilities, good quality management information and reporting, and quality assurance mechanisms such as compliance or internal audit reviews.
- Was the Authority surprised that 33% of trust companies did overnight sanctions screening?
We expected that banks would have daily monitoring systems in place, but that other sectors may only monitor for sanctions at business take on, upon periodic review points, and where sanction lists are updated. However, if an entity uses daily screening tools for monitoring other matters such as PEP information, or negative news, sanctions screening may be part of that package. We would encourage all entities to have in place systems appropriate to their business and risk profile for the purpose of ongoing monitoring.
- Did any of the analysis findings cause a concern to the Authority?
The data only tells us so much, but at a high level it has mostly reinforced our views regarding which sectors pose the more inherent risks and vulnerabilities. The findings have also been consistent with the National Risk Assessment, giving better evidence to support the conclusions contained therein. The findings do help us consider where to spend further time from a wider thematic basis; for instance, that is why we are following up in more detail in the area of foreign PEPs.
- What is the comparative (risk) position for the Insurance and General Insurance Sectors?
We are still undertaking sector reviews of insurance using 2018 and 2019 data sets. We do however expect the life insurance sector to have some similar characteristics to the banking sector and pose a medium to high inherent risk. For the general insurance sector, the risk profile is expected to be lower, more akin to the investment and financial advisory sectors. We are also still considering how best to break down the general (non-life) insurance data.
- Why the data analysed was not the most up to date return data?
The 2019 data, which is the most up to date, was only received by the end of 2020 and we have therefore not yet completed our analysis. We aim to complete our reviews by end June 2021, ahead of the receipt of the 2020 data, so that more timely information is available and published.
- Is the Authority reviewing/changing the information sought in the AML/CFT Return?
The current forms should be used for the 2020 data sets, due in by June 2021.
However, we recognise that the current forms need to be reviewed, to make sure the information is as relevant and useful for our purpose as it can be, is not duplicating other information we receive, and is able to be extracted from entities’ systems in an accurate way.
As part of our wider work on data systems we will review the return during 2021 and will issue further communications once we have a clearer picture of timescales for any changes. Our aim is not to add to the data set at this time.
Individual firms risk profiles
- Participants asked when regulated entities would find out their inherent and residual risk rating for Financial Crime Risk.
We will consider if, and how, we will communicate individual financial crime risk ratings as part of our wider work on the supervisory methodology which covers a range of risks, not just financial crime. This work will be continuing during 2021 and into 2022.
We don’t always think focusing on a specific rating gives the best outcome. It can be more productive for us to explain where we think the main risks are, and which risks we are most concerned about. This enables conversations about the drivers of those concerns, and what can be done to reduce risks, rather than focusing on ratings.
Participants asked about the timeline for providing more information about the changes to the supervisory approach?
We expect to be in a position to provide a more detailed update about our planned changes to the supervisory approach in Q3 2021. If we can accelerate this we will do so.
Participants wanted to know more about a range of areas including:
- Whether the Authority works with the other crown dependencies regulators to avoid regulatory arbitrage?
We have regular AML/CFT themed meetings with our counterparts in Jersey and Guernsey in order to discuss matters affecting all Crown Dependencies. It should be noted that although legislation and guidance across the Crown Dependencies may not be identical we are working to the same international standards.
- How the Authority considers the commercial impacts of the guidance (e.g. Private Trust Company (“PTC”) Guidance would appear to put the IOM at a commercial disadvantage when compared to Guernsey and Jersey who amended their POCA)?
Schedule 4 of the Proceeds of Crime Act 2008 (“POCA”) mandates which activities are in-scope of the Anti-Money Laundering and Countering the Financing of Terrorism Code 2019 (AML/CFT Code). Schedule 4 includes any regulated activity within the meaning of the Financial Services Act 2008 (regardless of whether an exemption applies). This results in PTCs, which are acting by way of business and availing themselves of the regulatory exemption for PTCs, being subject to the requirements of the AML/CFT Code in their own right. To change this position would require an amendment to POCA.
We will be embarking on an exercise to review the Financial Services (Exemptions) Regulations 2011 to determine whether all exempted activities should be caught by POCA and therefore in scope of the AML/CFT Code or whether some maybe carved out. This review will be undertaken to ensure the scope of POCA and the AML/CFT Code remains appropriate with the Island’s National Risk Assessment and in line with international standards.
- Whether the new AML/CFT Handbook would be consulted upon?
We do not as a matter of course consult on the AML/CFT Handbook. This is however a living document and the AML/CFT Unit welcomes comments and feedback at any time. We do share the AML/CFT sector guidance drafts with the relevant professional body prior to publication on the Authority’s website.
- Would the Authority give further guidance on enhancement of digital methods of collection of KYC documentation?
When the revised AML/CFT Handbook is published in Q2 it is proposed to include a best practice guide in relation to customer due diligence (“CDD”), this will include a dedicated section on electronic-CDD. This document will not provide guidance on individual providers of services of this nature but will focus on potential risks in this area and include suggested controls which could be implemented in order to mitigate those risks.
- Would the Authority issue updates in relation to the blockchain, cryptoassets and fintech sector?
We have already published AML/CFT Sector Guidance in relation to virtual assets, available here.
We have also published further guidance in this area relevant to consumers which can be found here.
The Authority’s Foreign PEP Thematic
Participants wanted to know more about how the sample firms had been picked, whether they had been informed, and when the review would start, complete and feedback be published.
We have used the data gathered from the statistical returns over the past 3 years as a basis to pick our samples of firms for the first phase of the thematic exercise, with a focus on the sectors that have the most exposure to foreign PEP business.
We have not yet reached out to those firms who we will be part of the thematic exercise but expect to do so soon. The first phase of the thematic review will be a questionnaire which is to be sent out shortly.
The exercise, including any further inspection work we may carry out as part of phase two, will continue throughout 2021, and feedback will be published.
Authority Information Sources
Participants were interested in the additional (Intelligence) sources the Authority utilises/has available to it.
In the Webinar, sources of information were discussed in the context of our developing supervisory approach and risk assessments of financial crime. Examples of additional sources of information or intelligence include from our own files, from other regulators (for example where entities are part of wider groups), the FIU or other government agencies, and customers or whistle-blowers.
Participants wanted to understand more about the Authority’s approach when a jurisdiction is moved to the FATF grey list in light of the Cayman Island inclusion on the FATF grey list.
The Cayman Islands have been added to the FATF grey lists due to the FATF determining that they have not made sufficient progress on their AML/CFT action plan. As a result of this the Cayman Islands have been removed from List C (Equivalent jurisdiction list) and placed on List B (Jurisdictions that may pose a higher risk).
Inclusion on List B means that simplified measures must not be used for customers in the Cayman Islands. Firms cannot exercise discretion regarding this as it is a requirement of the AML/CFT Code. Where any Cayman Islands’ customers have been on-boarded previously using simplified measures this should be notified to the Authority as explained in this press statement.
Furthermore, because the Cayman Islands is no longer on list C (Equivalence list), Cayman Islands’ entities can no longer be treated as an “external regulated business” or a “trusted person” as defined by the AML/CFT Code. Again, this is a legislative requirement and there is no discretion.
When the Department of Home Affairs consulted on the AML/CFT Code in 2019 it was proposed that List C would be removed and licenceholders/registered persons would themselves determine which jurisdictions would be appropriate to consider as equivalent in accordance with a risk based approach. Overwhelming feedback was received from licenceholders/registered persons that the preferred approach would be to keep List C.
 This review is only in respect of the AML/CFT implications – not whether the exemption from licensing under the Financial Services Act 2008 is appropriate.