GFSC Updates – salient highlights
1 Summary of changes to Handbook
1.1 Chapter 3 – Relationship risk assessment:
1.1.1 Relationship risk assessment needs to be carried out before establishing a business relationship or carrying out occasional transaction. For existing business relationships, risk assessments have to be reviewed regularly and the risk posed by the business relationships should determine the frequency of reviews. New risk factors identified as part of ongoing monitoring and trigger events should prompt businesses to update their relationship risk assessment and business risk assessments where relevant.
1.2 Chapter 7 – Legal Persons and Legal Arrangements
1.2.1 Chapter 7 now provide more information in regards to what should be collected by firms when establishing a trust or entering into a business relationship or occasional transaction with a trust. As a minimum the information must include the name and date of birth. To assess if more information needs to be obtained, trustees will need to undertake a documented assessment on the like hood of the person benefitting from the trust. The identity of all beneficiaries must be verified prior to any asset distribution. Where a trust is a key principal to a business relationship or occasional transaction, the firm must require the trustee to provide details of any class of beneficiaries and any other person who to the best of the trustee’s knowledge, is likely to benefit from the trust.
1.2.2 Where a firm is undertaking customer due diligence on a customer which is a trust the firm needs to undertake measures to understand the ownership and control structure of the trust in addition to taking measures to verify the identity of the beneficial owner.
1.2.3 Where a business relationship has been assessed as high risk, firms must take reasonable steps to verify the identity of all beneficiaries and other persons who are likely to benefit from the trust at the time that the assessment of risk is made.
1.2.4 When verifying the identify of a beneficial owner of a corporate trustee, money laundering and terrorist financing risks associated with the ownership of the corporate trustee, its regulatory framework and the control or influence of a particular beneficiary should be given due regards.
1.2.5 If the trustee or its parent is subject to the same or equivalent provisions of the Handbook, it may be possible to rely on information in the public domain or provided by the trustee regarding the identity of its beneficial owners and its directors or other controlling persons by way of a summary sheet and/or structure chart, without the need to gather identification data on those individuals. Firms needs to consider reports and assessments by the FATF and/or FATF-style regional bodies, in particular findings, recommendations and ratings of compliance with FATF Recommendation 28 which assesses the adequacy of supervision of trustees and document the conclusions of its assessment.
1.3 Chapter 12- UN, UK and Other Sanctions
1.3.1 The Sanctions and Anti-Money Laundering Act 2018 gives the UK government the powers to implement sanctions, including financial sanctions, trade sanctions and immigration sanctions following withdrawal from the EU.
1.3.2 The Bailiwick has passed additional legislation, the Sanctions (Bailiwick of Guernsey) Law, 2018, to implement a wide range of country-specific sanctions enabling the implementation of sanctions imposed by the UN and/or the UK
2 Exit Interviews for MLROs and MLCOs
2.1 Exit interviews for MLROs and MLROs have been extended to all sectors and made permanent by the Commission. The aim of the interviews is to assist the Commission to understand the responsibilities and challenges faced by those in these key positions. The latest edition of the Aspida Insight considered what it was like to be an MLRO in today’s climate and this latest initiative from the Commission confirms Aspida’s stance on the growing lists of responsibilities and increased accountability expected from the MLRO and MLCO.
3 Cyber Security Rules and Guidance
3.1 After a 2 years engagement with industry, the Commission published the Cyber Security Rules and Guidance 2021 on 15 February 2021.The guidance is principle based to facilitate application across the Bailiwick’s diverse financial sector. The Cyber Security Rules should be effective immediately however transitional arrangements within the rules allow firms to implement changes to their internal controls to ensure compliance with the Rules by 9 August 2021.A copy of the consolidated rules and guidance can be found here.
Compliance was once seen as the ‘business prevention unit’, however here at Aspida from our very origins we have seen compliance as a business enabler and our practical and pragmatic tagline has become even more prevalent in recent years.
Whilst the Malta Financial Services Authority in Malta advocates that “RegTech solutions improve regulatory processes with the aim of helping authorised entities to comply with greater certainty and more efficiently to regulatory and supervisory requirements. .”, at Aspida we see utilising RegTech as wider to provide substantially more benefits to businesses.