Regulatory Enforcement – Our Top Five Takeaways for Boards and Compliance Professionals
22 March 2021
In this update, our team of regulatory experts set out our top five takeaways arising from recent enforcement cases against regulated businesses. The cases in question started life as routine regulatory issues, and escalated from there. Our team have extensive experience in guiding regulated clients through regulatory issues and examinations and in addressing the issues arising
In the last month there have been two significant legal and regulatory enforcement actions: firstly, the latest civil penalty issued by the Jersey Financial Services Commission (the JFSC) (the Civil Penalty); and secondly a criminal prosecution for two breaches of the Proceeds of Crime (Jersey) Law 1999 (the PoCL) (the Prosecution). Collectively they signal a shift to more legal and regulatory actions for procedural failings.
The penalty and fine in question were significant (a total of £719,451.21 in the Civil Penalty and £550,000 plus £50,000 costs in the Prosecution). The history in each case dates back several years and had potentially humble beginnings: in the Civil Penalty case, the JFSC's concerns appear to have first arisen in 2017 in relation to resourcing of the compliance function; and in the Prosecution the taking on of the business dated back to 2010, and concerns appeared to have arisen at the JFSC in late 2013. In both cases, the JFSC undertook on-site examination visits that identified further issues and the matters both ultimately escalated to the conclusions set out above.
The cases demonstrate the long tail risk that often arises in regulatory matters. The increasing drive within the JFSC and prosecuting authorities to demonstrate their own supervisory effectiveness, coupled with a greater number of regulatory visits, mean that the primary focus for regulated entities should be on ensuring they are properly prepared for regulatory inspection and are able to deal with issues arising.
Mourant Ozannes has extensive experience in advising on regulatory matters, including guiding businesses through potential enforcement scenarios. We established Mourant Consulting in 2021, a business carrying extensive regulatory experience, to help firms take a proactive, ‘prevent and detect’ approach to governance, risk and compliance matters that aims to inspire the confidence of the Regulator. We work collaboratively to assist businesses at all stages – from assisting regulated businesses to prevent issues occurring in the first place, or at least addressing them prior to escalation, through to guiding regulated businesses and persons through potential regulatory and/or criminal enforcement action.
In this briefing, our team set out our Top Five Takeaways from these latest enforcement cases.
The primary focus must always be on ensuring your business operates within the law and regulation. However, you cannot just do it: you have to evidence you are doing it.
In the Civil Penalty statement, the JFSC criticise the lack of detail in board minutes on key business documents as well as consideration and progress of risk issues flagged. The JFSC concludes the relevant entities were unable to demonstrate adequate monitoring and control. Similar criticism is made in respect of key documents such as the Compliance Monitoring Plan and AML/CFT Business Risk Assessment. Similarly, in the Prosecution case, the Court found that there was a lack of evidence of consideration of some key points (see further below).
There is clearly a balancing act to perform – in the Civil Penalty statement the JFSC also criticise certain compliance reports as too detailed. In addition, too much detail can result in a lack of focus and can contain unhelpful elements. However, ensuring that you are able to point to evidence of proper discussion, conclusion and progress on regulatory risks is paramount.
2. Cumulative effect of risks and red flags
The AML/CFT framework in Jersey is designed to ensure that Jersey is not used in the conduct of financial crime. The "risk based approach" is intended to ensure that areas of concern are spotted and addressed. In the Prosecution, it is clear that the entity appreciated the high-risk nature of the business and took a number of steps to try to mitigate those risks. However, the Court concluded that multiple "red flags" were either dismissed without sufficient justification or not spotted at all. The red flags range from direct questions such as whether the investment of funds was authorised and lawful to more rhetorical questions such as why the fees were so high for relatively limited work.
It is clear from the judgment in the Prosecution case that comfort should not be derived from the fact that other service providers, and even the regulator, are also aware of certain red flags. The onus is on each regulated business to ensure it has identified the red flags, considered the cumulative effect of them, addressed them and documented that process.
The factual background to the Civil Penalty concerned compliance resourcing. It is a requirement of the regulatory Codes that an effective compliance function is in place. The JFSC pointed to a number of instances in which it considered the compliance function to be inadequately resourced, demonstrated by a lack of progress on key aspects due to resourcing, too many key person roles being held by compliance personnel, considerable compliance overtime hours and resource concerns being raised with the board (though not adequately addressed).
It is also clear that resourcing is broader than simply demonstrating sufficient resources and progression of compliance projects. There is also the need to ensure compliance has the appropriate voice and authority within an organisation and that sufficient attention and focus is given to compliance and risk matters by the Board. In the Prosecution case, the Court noted that recommendations from the compliance function had been overridden, seemingly in favour of commercial interests. There is a clear need to ensure that points raised by compliance are properly considered, acted upon and evidenced.
A key feature of all the JFSC's civil penalty public statements issued to date has been a lack of adequate remediation. It is a feature of both of these cases that issues were identified, either internally or by the JFSC, and were not adequately addressed. The process of remediation draws together the other topics discussed in this note – identify the issue, apply appropriate resources to it, plan what to do about it, and evidence the entire process.
If a business sees remediation as a race of get to sign-off, there is likely to be a negative outcome. A careful and planned remediation and evidence of proper completion is essential, as is communicating that process to the regulator and getting buy-in.
5. Co-Operation and Notification
In both of these cases, the regulated businesses co-operated through the enforcement process and received credit for doing so. However, there were also earlier instances of failure to notify the JFSC of relevant matters, as well as an instance of informing the JFSC an issue had been remediated which was not sustainable (in the JFSC's view at least).
The duty of candour to the regulator is clearly of paramount importance and must be respected. It is however equally important to ensure correspondence is properly considered and demonstrates a plan to address the issues identified in an appropriate manner.
Our team of experts across Mourant Ozannes and Mourant Consulting, have extensive experience of assisting firms to ensure their risk framework addresses these matters appropriately to avoid encountering regulatory problems in the first place. We can also assist businesses to prepare for regulatory visits, respond to concerns raised, and work through potential breaches and enforcement cases.
If you have identified potential regulatory concerns in your business, or are preparing or engaged in a regulatory visit, our team of experts are happy to discuss potential risks arising and how best to address those issues to protect your business and its people.