The Covid balancing act for regulated businesses in Guernsey
Rachel Amos and Victoria Pratt, Walkers, Senior Counsels, Guernsey, 29 September 2020
Moneyval, the Financial Action Task Force and the Guernsey Financial Services Commission have all had to react to the repercussions that the current pandemic is having on financial crime and regulation. New scams abound, the ‘working from home’ phenomenon has opened financial firms up to exploitation by international criminals and everyone has had to adjust to new risk-based 'matrixes.'
As the leaves begin to fall and we realise that winter is coming, we are also absorbing the news about the Coronavirus – it is here to stay for some time to come. Despite Guernsey having had a Covid-free summer, we need to watch out – not only for the physical symptoms of the disease but also for the risks that it brings into our businesses. Whether or not Guernsey returns to some sort of lockdown over the next few months, we also need to recognise that the working-from-home revolution that HR experts were promising for a long time before the pandemic may well be with us, whether we are ready or not. The world of risk – both professional and private – has become more complex for financiers.
At the international level, on 2nd September the Committee of Experts on the Evaluation of Anti-Money Laundering Measures and the Financing of Terrorism (Moneyval) published a report on trends in money-laundering (ML) and terrorist-financing (TF) trends during the pandemic in its member-jurisdictions, of which Guernsey is one.
At the national level, the Guernsey Financial Services Commission has been following the lead of Moneyval and its 'big brother,' the Financial Action Task Force or FATF, in its communications with the firms that it regulates on the island. In particular, the GFSC has issued guidelines for regulated firms during this period regarding an increase in the risks that pertain to fraud and the importance of operational resilience in the face of such an increase. It has also encouraged regulated firms to move towards ways of verifying the identities of (and information about) customers by electronic means.
The regulator has also been alerting consumers about various types of scams related to Covid-19 and has produced guidelines to govern working from home, outlining the risks that it poses and creates.
Guernsey's financial firms should note, however, that it has also said this: “For the avoidance of doubt we do not require firms to notify us of a change to their business plans because they are markedly increasing home working to comply with public health guidance. That said, if a firm is experiencing difficulty in being able to comply with its business plan or other regulatory requirements because of difficulties associated with working from home, we expect it to contact us to explain the nature of the difficulties and its thoughts on managing them at the earliest practical opportunity.”
A drop in staff and a relaxation of controls
Throughout all communications from the regulators runs a theme: any relaxations in controls and any distractions among the workforce are bound to leave the door open to an increase in crime. The regulators acknowledge that both governmental and inter-governmental bodies might fall down in their efforts to make policy as a consequence of the epidemic.
Guernsey is expecting Moneyval to inspect it in 2021 (or perhaps, in view of today's problems, 2023). Regulated businesses that are trying to deal with financial crime ought to realise that if they relax their controls to allow their people to work from home, to take on clients more easily or to cope with the absence of members of staff – or even with their holidays – they are opening themselves up to criticism. If the regulators themselves are facing an inspection, the firms should not expect them to be soft on them when they break the rules, understandable though their shortcomings may be in the face of the outbreak.
The GFSC has stated that it “recognises that firms may have had to amend their processes and procedures, not only to facilitate staff working from home but also to accommodate consumer and client circumstances – for example, for those customers who are self-isolating or sick or where firms are operating on reduced staffing levels. Whilst these changes are necessary in these unprecedented circumstances, firms should ensure that potential weaknesses in amended processes are fully assessed, addressed and documented and that all relevant staff are made aware of the increased risk.”
Trends and themes
Three themes that run through the Moneyval report, the FATF’s Information Notes and the GSFC’s guidelines are particularly relevant to regulated businesses. These concern fraud, corruption and an uptick in cybercrime – all caused by the virus.
The FATF's notes, published in May, arrive at the conclusion that problems that stem from the contagion “represent emerging ML and TF risks. Such risks could result in [amongst other things]: Criminals finding ways to bypass customer due diligence measures; increased misuse of online financial services and virtual assets to move and conceal illicit funds;”
In the same paper the FATF anticipates more money-laundering than usual: “Governments, businesses and individuals are increasingly turning to online systems to enable remote work. Individuals under “lockdown” (or other movement restriction measures) are also increasingly turning to online platforms for social interaction;”
The standard-setter adds: “Criminals finding ways to bypass CDD ["customer due diligence"] measures by exploiting temporary challenges in internal controls caused by remote working situations, in order to conceal and launder funds;”
Moneyval notes in its report: “There was a shift in private sectors’ way of working, with limits imposed to physical meetings and a significant increase in non-face-to-face business relationships and remote operations. This raised supervisors’ concerns with regards to the full application of customer due diligence (CDD) measures.”
Despite the economic downturn that the virus has caused, illicit finance continues to flow. Moneyval says that criminals are trying to exploit temporary weaknesses in AML controls at financial institutions and that firms are more exposed to fraud than before because many of their staff are working from home.
Fraudulent schemes, then, are likely to evolve as the worldwide infection continues. The GFSC articulated this message very clearly to its flock even before the FATF and the FSRB [FATF-style regional body] Moneyval. It did so on 27th March, saying: “The [GFSC] would ask all licensees and registered businesses to stay attuned to the heightened risk of fraud facing each of their businesses.”
These various bodies have published the following wish lists.
From Moneyval came these two objectives.
- The private sector must adjust its risk-based 'matrixes' to place sufficient emphasis on emerging risks and trends, such as new clients that it is accepting during the lockdown, or remote operations.
- Law enforcers ought to pay sufficient attention to the investigation of frauds and cyber-crimes that people are committing during the crisis.
In the May paper, the FATF counselled national supervisory bodies to encourage the full use of a risk-based approach to CDD and to solve practical problems. Some supervisors have pursued some of the following measures in relation to CDD.
- The application of simplified due diligence (SDD) measures when firms identify lower risks - for example, accounts created specifically to facilitate government payments to people or businesses and to offer access to digital/contactless modes of payment.
- Stating in guidelines that there may be legitimate reasons for customers not providing information for continuing 'due diligence' (i.e. checking of various kinds) or ‘know-your-customer (KYC) refreshers’ (e.g., if they are confined, under quarantine or ill) and stating also that the usual processes for dealing with these situations (not least an exit from the relationship with the customer) may not be appropriate at this time.
- Allowing reporting entities to accept recently-expired government-issued identifying documents until further notice when verifying people's identities (although still requiring them to determine the authenticity of every identification).
- Considering the application of delayed verifying provisions for new business relationships in line with the FATF standards (e.g. by imposing transaction limits). Reporting entities can accept digital copies of documents in the short term, although they must have sight of the originals in due course.
- Encouraging firms to use "responsible digital identity" (whatever that is) when identifying prospective customers and while conducting transactions.
- Undertaking pragmatic, risk-based AML supervision.
For its part, the Guernsey Financial Services Commission has said that the firms that it regulates should assess, address and keep documents of potential weaknesses in amended processes as fully as they can. It expects firms to continue to apply effective fraud controls, including:
- ones that undertake or update their fraud risk assessments;
- a never-ending vigil for new threats and risks, among them those that are emerging through the increase in remote working;
- integrated fraud control as part of their policies and procedures, especially to prevent cybercrime;
- 'upfront' controls that identify and verify people and businesses, along with every beneficiary’s account details, as a means to prevent fraud from taking place; and
- the use of 'upfront' fraud prevention clauses in application forms and processes (including call scripts) to make applicants aware of the ways in which the firms are going to use their data and their legal obligations.
The GFSC notes that each firm ought to make all relevant staff aware of the increase in risk. This has implications for training and desktop compliance at regulated firms.
Suggestions and conflicting advice
The FATF has already staked out the ground regarding the use of digital ID to help bridge the gap.
In its May paper under the heading of “Potential AML/CFT Responses” it mentions the phrase “Encouraging the use of responsible digital identity and other responsible innovative solutions for identifying customers at onboarding and while conducting transactions” and it refers to a paper on digital ID that it published in March, stating that “non-face-to-face onboarding and transactions conducted using trustworthy digital ID are not necessarily high-risk and can be standard or even lower-risk”.
Lastly, in Annex A, a statement from the FATF's president says: “in-person banking and access to other financial services is difficult and unnecessarily exposes people to the risk of infection. Use of digital/contactless payments and digital onboarding reduce the risk of spreading the virus.”
All supervisors have continued their AML/CFT supervisory activities, although they have adapted their practices to be more pragmatic in the current situation. Supervisors continue to monitor the business continuity plans that financial institutions have put in place and followed, with the aim of seeing whether their operations (including their AML/CFT measures) are still sound. Some supervisors are scrutinising different things. For example, they are looking more intently at online casinos and gambling platforms because regular casinos and gambling arcades are closed. They are also paying more attention to dealers in precious metals and stones because people are investing more than before in gold.
To facilitate the smooth processing of applications, some supervisors have approved simplified due diligence or SDD at firms that are verifying information about customers etc. They are allowing SDD to apply to transactions that occur in accordance with government assistance initiatives, believing them to pose lower risks. They are still, however, obliging regulated entities to take "mitigation measures" such as continuous due diligence and to review their CDD if they detect other risks at a later date.
Inspection risk on the rise at all levels
The regulators and standard-setters are also saying that – for themselves as well as for regulated businesses – the task of keeping up the pace of regulatory evolution and innovation, i.e. keeping up with the criminals, will be a problem.
In its report, Moneyval emphasised the need for compliance with the FATF's 40 recommendations and the importance of making firms and regulators even more vigilant in the light of the Corona-crisis. It strongly encouraged Guernsey (along with all other countries) to apply the FATF's standards in full. In Moneyval, one might argue, the GFSC has its own regulator. If it grants firms exemptions or "simplified measures" to expedite the processing of payments and boost the economy, Moneyval might challenge it and ask it to justify its decisions and to support them with a risk analysis.
It is clear that although the regulators and supervisory bodies are making sympathetic noises about the position that businesses find themselves in, they also want them to offset the risk that home-working poses to the establishment of processes and procedures that firms need if they are to do proper CDD.
Moneyval will inspect the GFSC next year. The GFSC will doubtless be keen to show it that the firms that it regulates have taken these messages on board. Whether it is sympathetic to those firms or not, it will be looking for areas where they have responded to the fresh dangers that an increasingly mobile and distributed workforce poses, especially now that it is working more flexibly than ever before, and the ways in which the new way of working poses a risk to established controls.
Immediate steps to take
In response to the (possibly permanent) increase in working from home, it is a high priority for every financial business in Guernsey to do the following.
- Review its employee working-from-home policy to ensure that it is comprehensive and meshes with its AML and CDD policies and wider staff policies (such as data protection and IT security). If it lacks a working-from-home policy for staff, it should put one in place.
- Review and adjust its risk-based 'matrixes,' placing sufficient emphasis on emerging risks and trends that spring from the pandemic, such as new clients that it has accepted during the lockdown or remote operations, and be able to justify them as proportionate and, of course, properly documented and communicated.
- Pass on these updates and expectations to its staff. Not only will this help head off problems; it will also make it easier for it to deal with malpractice on the part of its employees and show the regulator that it is actively doing so.
- Review the arrangements by which it monitors its employees. Monitoring is lawful as long as it is undertaken appropriately and (in nearly all cases) the employees know it is being undertaken.
- Make full use of appraisals or performance-management meetings to ensure that employees are following good practice in the most active way possible. If those employees are not doing so, the business should make it clear that, no matter how great their performance is in other areas, it will not reward or overlook non-compliance or carelessness.
- Review the way in which it supports the activity of working from home. Does the IT infrastructure need an upgrade? Does the Human Resources department need additional support to ensure that people are performing properly? Have the needs that staff have to be trained increased or changed?
All firms are still having to grapple with the problems that working from home poses while keeping their AML processes efficient. At the same time, they are having to deal sympathetically yet firmly with an anxious workforce. This is all part of the great “Covid balancing act” of 2020.
* Rachel Amos can be reached on +44 (0) 1534 700 720 or at rachel.amos@walkersglobal.com; Victoria Pratt can be reached on +44 (0)1481 748 938 or victoria.pratt@walkersglobal.com