Key Themes from Supervision Andrew Kermode Colin Manley - - PowerPoint PPT Presentation

Key Themes from Supervision

Andrew Kermode Colin Manley

www.aicp.im

Financial Services Authority Supervisory Update

A n d r e w K e r m o d e & C o l i n M a n l e y

Agenda

Key Supervisory Observations

• Risk Management & AML/CFT
• Governance and Other Risk Management
• Conduct (protecting consumers)

Focus and priorities for 2020 / 2021 Key Messages / Re-cap

Key Supervisory Observations

• Reflect key areas of recent supervisory focus and also recent regulatory interventions.
• Undertaken more inspections of TCSPs over the last 2 years compared to other sectors

(reflective of size of sectors & also consideration of risk): more observations come from this engagement but are of relevance to other sectors.

• Presentation weighted to areas for improvement. This doesn’t mean issues are occurring in

all firms.

• Thematic reviews do /will consider examples of good practice e.g. ORSA review for

insurers.

• Lots of examples of constructive engagement with firms during the year and we would like

this to continue.

Risk Management - TCSPs

Lack of maturity in aspects of Risk Management Frameworks

• Risk management frameworks required to address all material risks.
• Detailed processes and procedures in some areas but simply generic statements in others.
• Business Risk Assessment (Code and Rulebook Requirement):-

– Risks only identified at a generic level. – Must address ML/FT risks pertaining to the firm’s services / products, customers, jurisdictions and distribution channels. – Risk mitigation and controls must be focussed on own risks and be reflective of actual control framework.

• Weaker -> financial, operational, reliance on group (ops & financial).
• Compliance is part of an effective risk management framework.

Risk Management - TCSPs

Risk Appetite

• Important context - operating environment clearly changing & challenging market.
• Lack of clarity / formal articulation of the amount and type of risk that a firm is willing to

pursue, retain or take (accepting that there is no tolerance for ML/FT).

• How then is this translated down to staff / front-line?
• Acquisitions / new ownership:
• Sufficiency of resource, before and during.
• Risks and how managed and controlled.
• Expect adequate assessment – not generic.
• Change to Risk Appetite?

Risk Management - Insurance

Life Insurance

• We have seen risk management frameworks develop and strengthen.
• Also see more robust articulation of tolerances (linking to new framework).
• Currently reviewing ORSA’s and will feedback.

Non-Life Insurers

• See the need for commercial insurers to strengthen frameworks – area of focus.
• Captives represent lower risk.

Some improvements required in refining appetite and tolerances, recognising proportionality. In many cases a question of pulling together current practices to help demonstrate activities and assessments.

AML/CFT - TCSPs

Customer Risk Assessments (“CRA”) – BRA addressed earlier

• Did not always consider all relevant risk factors.
• Information contained in CRAs, and used to assess risk rating, was inconsistent with

information retained on files.

• Lack of financial and transactional information on file for customer entities or this

information not maintained. Not evident how unusual activity could be identified.

• Limited or no documented consideration of complex structures.
• Deficiencies in source of funds / source of wealth information and verification.

AML/CFT - TCSPs

Customer Risk Assessments (“CRA”) cont.

• Basis of risk rating was insufficiently clear and / or insufficiently documented.
• Risk rating not consistent with risk factors.
• Follow up actions recorded on CRAs, however cases where follow-up didn’t occur or wasn’t

timely.

AML/CFT – Funds Business

Context

• AML/CFT Code applies to “relevant persons”.
• “Relevant persons” are not only fund managers / administrators, but also IOM funds

established under the Collective Investments Scheme Act 2008.

• The AML/CFT Code applies directly to IOM funds, and those funds’ governing bodies retain

responsibility for compliance with the AML/CFT Code.

• In practice, governing bodies of funds delegate a lot of AML/CFT activity to IOM based fund

managers / administrators, and to those TCSPs providing fund services to exempt schemes.

AML/CFT – Funds Business

Relationship between the IOM fund and the Functionary

• AML/CFT delegations

to be clearly documented in service agreements /

• ffering

documents; important that both parties understand their obligations and there are no “gaps” – this equally applies to exempt schemes.

• Examples where we have seen uncertainty and potential gaps include: ownership of

customer (investor) risk assessments, ongoing monitoring processes, and MLRO duties.

• We are in the process of revisiting the sector guidance as part of the wider updates to the

AML/CFT Handbook, and will also be issuing thematic feedback.

AML/CFT – Funds Business

Risk Assessments and ongoing monitoring

• Risk assessments of Funds: how will / does the fund itself comply with the AML/CFT Code?

What risk assessments are undertaken by the governing body? What is the investor base (where money is coming from)? What is the fund investing in? Is the structure complex / multi layered and if so why?

• Risk assessments of customers of Funds (investors): often this is done by a functionary –

have seen limited documented rationale for risk ratings, and lack of documented clarity around the ongoing monitoring of customer risk and CDD, also relating to triggers.

AML/CFT - Banking

Banking Sector

• Ongoing monitoring of gaps – customer information and trigger events; ongoing screening;

transaction monitoring and identifying unusual or suspicious activity.

• Commencing on-site inspections with a particular focus on developing new FSA risk

assessments for AML/CFT (which uses a variety of data sources), and utilising financial flow data to help test key aspects of the control environment.

• Key controlled function role holders (e.g. MLROs) and succession planning.

AML/CFT – Insurance & Pensions

Life Insurance

• Focussed on individual firms and small sample so very firm specific.

Insurance Managers and Managed Entities

• Reminder that manager’s and “managed” risk assessments are separate.

“Managed” cannot rely on manager’s assessments. Pensions

• Commonality with some of TCSPs themes -> BRAs not sufficiently focussed on actual

business models, some deficiencies in CRAs.

• Sector guidance imminent.

Governance & Other Risk Management

General observations Delegation of Functions (provider and receiver)

• Agreements not always matching, or reflecting services being provided.
• Agreements not identifying the correct legal entities / parties.
• Clarity on who is responsible for review, monitoring and reporting of compliance with

service requirements. Integrity of Financial Controls Documenting decisions

Governance & Other Risk Management

General observation Conflicts of Interest

• All firms are required to establish, implement and maintain effective conflicts of interest

policies including controls to manage conflicts which constitute or may give rise to a conflict of interest entailing a material risk of damage to the interests of one or more of its clients.

• Not sufficient to simply record the conflict, need to manage conflicts.
• Needs to be sufficient independence in oversight.
• Where conflicts cannot be managed they should be avoided.

Conduct – Life Insurance

Published Thematic on Gone Away & Orphan Clients IoM Insurance Framework, plus considered ABI frameworks and UK FCA Guidance Gone Away Clients

• Most but not all insurers had procedures in place on how to manage their relationship with

‘gone away’ clients and could identify ‘gone-away’.

• Varying practices around the method and number of attempts to contact ‘gone away’

clients.

• No insurer provided any formal reports proactively to the Board of Directors on ‘gone away’

clients.

Conduct – Life Insurance

Gone Away Clients – FSA expectations

• All insurers to have establish Board Approved principles and a framework to manage ‘gone-

away’ clients – due consideration to TCF .

• For insurer to determine frequency of attempt and method, however not appropriate to

make no further effort after first piece of returned mail / failed contact.

• Cross check veracity of address on system to application, contact associate party (IFA etc.)
• r other public information.
• Report to Board at least annually, on ‘gone away’ clients and whether treatment is in line

with Board principles.

Conduct – Life Insurance

Orphaned Clients

• Most but not all insurers had procedures in place to identify and value ‘orphaned’ clients.
• Process for managing ‘orphaned’ clients varied.
• Wide approach to TCF

, in particular in relation to charges and retention of commission structures and adviser fees. Orphaned Clients - FSA expectations

• Establish procedures to record and provide MI to relevant stakeholders.
• Write to ‘orphaned’ clients informing of position and potential implications.
• Develop approach to TCF

, including ‘trail commission’ arrangements.

• Report to Board, at least annually, on ‘orphaned’ clients and treatment.

Conduct – Life Insurance

Conduct of Business Code

• Initial high-level thematic review of implementation of new code completed.
• Suggests adherence is generally good and will feedback results shortly and publish.
• Some matters to follow-up on.
• Outcome of the thematic will lead to more targeted reviews.

Conduct – Investments and Funds

Financial Advice: DB pension transfers

• Consideration of ALL matters (new and ceding scheme) – should not “disaggregate” advice.
• Cost and commission sharing (with conditions).
• Use of employer based “group personal pension schemes” for non-employees.
• Adequacy of PII.

Fund structures: transparency and reasonableness of fees

• Additional layers and complexity – are they needed, who is benefiting? Are there conflicts?
• Who is driving changes to fee structures? Are they in the interests of investors? The role of

the IOM “independent” directors.

• Importance of communication to investors.

Focus and priorities: 2020-2021

Cross sector

• Continuation and delivery of our Priority Projects
• Pilot elements of new supervisory methodology internally and help to refine our

supervisory approach; starting with AML/CFT and then conduct

• AML/CFT – analysis of annual returns underway at firm and sector level to assist with risk

assessing and prioritisation

• AML/CFT – thematic work, including both desk based and on-site elements.

LIKEL Y THAT ALL SECTORS WILL TOUCHED BY FSA WORK IN RELATION TO AML/CFT . MAY BE THEMATIC OR MORE FIRM SPECIFIC.

• Bring forward a more consistent approach to supervisory inspections.

Focus and priorities: 2020-2021

Life Insurance

• Continuation
• f

Conduct

• f

Business building

• n

initial high-level thematic, Risk Management including ORSA thematic. Non-Life Insurance

• Review of implementation of new framework, Risk Management (including ORSA & reports

from newly required Actuarial Function Holders).

• Greater focus on commercial insurers.

Insurance Intermediaries

• Client assets.

Focus and priorities: 2020-2021

TCSPs

• Continue annual business meetings focussed on Compliance and Risk Management. Feed

back observations.

• Authority will be subject to assessment by GIFCS of the IOM’s compliance with GIFC’s

Standard of Regulation of TCSPs. Pensions

• Continued engagement on new framework.

Focus and priorities: 2020-2021

Banking and Money Transmission

• AML/CFT risk assessments and inspections (including using financial flow data).
• Continuation of strengthening the regulatory / supervisory framework: recovery planning,

liquidity, ICAAP , risk assessments. Funds

• Continued programme of inspections assessing governance, AML/CFT and conduct: may

include services to exempt schemes and also closed ended investment companies.

• Review of exempt schemes framework.
• Thematic Feedback.

Focus and priorities: 2020-2021

Investment Services

• Further pensions thematic work / additional guidance.
• PII: emerging issues in the market.
• Financial advisory firms: data requirements (FSA portfolio risk assessments).
• Continuation of targeted inspection programme for investment / asset management firms.
• Development of FSA risk assessment modules, commencing with “conduct”.

Key Messages / Re-cap

• Board is ultimately responsible for ensuring a firm is meeting its regulatory requirements

and conducting its business appropriately - culture, adequacy of financial and human resources, control frameworks etc.

• Where the Authority identifies shortcomings it will hold the Board accountable.
• A ‘tick-box’ approach to Governance, Risk Management, Internal Controls and Compliance

is not sufficient. Firms need to be able to demonstrate effectiveness.

• Conflicts need to be effectively managed / mitigated, not simply documented. If conflicts

cannot be managed / mitigated they should be avoided.

• Decisions need to be adequately documented, not simply it was ‘resolved to’.

Key Messages / Re-cap

• The Authority expects firms to be open and transparent in their engagement. Where the

Authority sees evidence that this is not the case this raises concerns as to culture.

• Obvious supervisory indicators to the Authority that all may not be right within the firm

include multiplicity of breaches, turn-over in key staff, customer complaints and failure to meet other legislative requirements. Where we see these indicators a firm should not be surprised that these will trigger enquires and greater engagement with the Authority.

• All firms should ensure they have established whistleblowing frameworks.
• We are seeing more whistle-blows to the Authority.

The Authority takes these very seriously.

Key Messages / Re-cap

• The Authority is not a compliance or audit function:-
• Do not wait for an Authority inspection or review to identify non-compliance.
• Firms should have adequate frameworks to ensure ongoing review of compliance.
• Firms have access to external parties for advice / assurance.
• Where appropriate we will require you to remediate deficiencies and get back to BAU.
• There are a range of actions that we may require of firms: these can include external

confirmation that remediation has been completed / effective. For larger groups this can include targeted internal audit assurance.

Key Messages / Re-cap

• Dear CEO letter, thematic reviews, statements etc. will be increasingly used to flag areas

that we believe require remedial focus, and what our expectations are. This should assist firms to meet their regulatory

• bligations.

Firms should be monitoring Authority communications.

• We encourage open and transparent communications.
• As far as possible we would like to operate in an environment of ‘no-surprises’.
• Come forward with problems and a plan to resolve.

THANK YOU & QUESTIONS