Key Themes from Supervision Andrew Kermode Colin Manley - PowerPoint PPT Presentation

Key Themes from Supervision Andrew Kermode Colin Manley www.aicp.im

Financial Services Authority Supervisory Update A n d r e w K e r m o d e & C o l i n M a n l e y

Agenda Key Supervisory Observations Risk Management & AML/CFT • Governance and Other Risk Management • • Conduct (protecting consumers) Focus and priorities for 2020 / 2021 Key Messages / Re-cap

Key Supervisory Observations • Reflect key areas of recent supervisory focus and also recent regulatory interventions. • Undertaken more inspections of TCSPs over the last 2 years compared to other sectors (reflective of size of sectors & also consideration of risk): more observations come from this engagement but are of relevance to other sectors. • Presentation weighted to areas for improvement. This doesn’t mean issues are occurring in all firms. • Thematic reviews do /will consider examples of good practice e.g. ORSA review for insurers. • Lots of examples of constructive engagement with firms during the year and we would like this to continue.

Risk Management - TCSPs Lack of maturity in aspects of Risk Management Frameworks • Risk management frameworks required to address all material risks. • Detailed processes and procedures in some areas but simply generic statements in others. • Business Risk Assessment (Code and Rulebook Requirement):- – Risks only identified at a generic level. – Must address ML/FT risks pertaining to the firm’s services / products, customers, jurisdictions and distribution channels. – Risk mitigation and controls must be focussed on own risks and be reflective of actual control framework. • Weaker -> financial, operational, reliance on group (ops & financial). • Compliance is part of an effective risk management framework.

Risk Management - TCSPs Risk Appetite • Important context - operating environment clearly changing & challenging market. • Lack of clarity / formal articulation of the amount and type of risk that a firm is willing to pursue, retain or take (accepting that there is no tolerance for ML/FT). • How then is this translated down to staff / front-line? • Acquisitions / new ownership:  Sufficiency of resource, before and during.  Risks and how managed and controlled.  Expect adequate assessment – not generic.  Change to Risk Appetite?

Risk Management - Insurance Life Insurance • We have seen risk management frameworks develop and strengthen. • Also see more robust articulation of tolerances (linking to new framework). • Currently reviewing ORSA’s and will feedback. Non-Life Insurers • See the need for commercial insurers to strengthen frameworks – area of focus. • Captives represent lower risk. Some improvements required in refining appetite and tolerances, recognising proportionality. In many cases a question of pulling together current practices to help demonstrate activities and assessments.

AML/CFT - TCSPs Customer Risk Assessments (“CRA”) – BRA addressed earlier Did not always consider all relevant risk factors. • Information contained in CRAs, and used to assess risk rating, was inconsistent with • information retained on files. Lack of financial and transactional information on file for customer entities or this • information not maintained. Not evident how unusual activity could be identified. • Limited or no documented consideration of complex structures. • Deficiencies in source of funds / source of wealth information and verification.

AML/CFT - TCSPs Customer Risk Assessments (“CRA”) cont. Basis of risk rating was insufficiently clear and / or insufficiently documented. • Risk rating not consistent with risk factors. • Follow up actions recorded on CRAs, however cases where follow- up didn’t occur or wasn’t • timely.

AML/CFT – Funds Business Context AML/CFT Code applies to “relevant persons” . • “Relevant persons” are not only fund managers / administrators, but also IOM funds • established under the Collective Investments Scheme Act 2008. The AML/CFT Code applies directly to IOM funds, and those funds’ governing bodies retain • responsibility for compliance with the AML/CFT Code. • In practice, governing bodies of funds delegate a lot of AML/CFT activity to IOM based fund managers / administrators, and to those TCSPs providing fund services to exempt schemes.

AML/CFT – Funds Business Relationship between the IOM fund and the Functionary AML/CFT delegations to be clearly documented in service agreements / offering • documents; important that both parties understand their obligations and there are no “gaps” – this equally applies to exempt schemes. • Examples where we have seen uncertainty and potential gaps include: ownership of customer (investor) risk assessments, ongoing monitoring processes, and MLRO duties. • We are in the process of revisiting the sector guidance as part of the wider updates to the AML/CFT Handbook, and will also be issuing thematic feedback.

AML/CFT – Funds Business Risk Assessments and ongoing monitoring Risk assessments of Funds: how will / does the fund itself comply with the AML/CFT Code? • What risk assessments are undertaken by the governing body? What is the investor base (where money is coming from)? What is the fund investing in? Is the structure complex / multi layered and if so why? Risk assessments of customers of Funds (investors): often this is done by a functionary – • have seen limited documented rationale for risk ratings, and lack of documented clarity around the ongoing monitoring of customer risk and CDD, also relating to triggers.

AML/CFT - Banking Banking Sector Ongoing monitoring of gaps – customer information and trigger events; ongoing screening; • transaction monitoring and identifying unusual or suspicious activity. Commencing on-site inspections with a particular focus on developing new FSA risk • assessments for AML/CFT (which uses a variety of data sources), and utilising financial flow data to help test key aspects of the control environment. • Key controlled function role holders (e.g. MLROs) and succession planning.

AML/CFT – Insurance & Pensions Life Insurance Focussed on individual firms and small sample so very firm specific. • Insurance Managers and Managed Entities • Reminder that manager’s and “managed” risk assessments are separate. “Managed” cannot rely on manager’s assessments. Pensions Commonality with some of TCSPs themes -> BRAs not sufficiently focussed on actual • business models, some deficiencies in CRAs. Sector guidance imminent. •

Governance & Other Risk Management General observations Delegation of Functions (provider and receiver) • Agreements not always matching, or reflecting services being provided. • Agreements not identifying the correct legal entities / parties. • Clarity on who is responsible for review, monitoring and reporting of compliance with service requirements. Integrity of Financial Controls Documenting decisions

Governance & Other Risk Management General observation Conflicts of Interest • All firms are required to establish, implement and maintain effective conflicts of interest policies including controls to manage conflicts which constitute or may give rise to a conflict of interest entailing a material risk of damage to the interests of one or more of its clients. Not sufficient to simply record the conflict, need to manage conflicts. • Needs to be sufficient independence in oversight. • Where conflicts cannot be managed they should be avoided. •

Conduct – Life Insurance Published Thematic on Gone Away & Orphan Clients IoM Insurance Framework, plus considered ABI frameworks and UK FCA Guidance Gone Away Clients • Most but not all insurers had procedures in place on how to manage their relationship with ‘gone away’ clients and could identify ‘gone - away’ . • Varying practices around the method and number of attempts to contact ‘gone away’ clients. • No insurer provided any formal reports proactively to the Board of Directors on ‘gone away’ clients.

Conduct – Life Insurance Gone Away Clients – FSA expectations • All insurers to have establish Board Approved principles and a framework to manage ‘gone - away’ clients – due consideration to TCF . • For insurer to determine frequency of attempt and method, however not appropriate to make no further effort after first piece of returned mail / failed contact. • Cross check veracity of address on system to application, contact associate party (IFA etc.) or other public information. • Report to Board at least annually, on ‘gone away’ clients and whether treatment is in line with Board principles.

Conduct – Life Insurance Orphaned Clients • Most but not all insurers had procedures in place to identify and value ‘orphaned’ clients. • Process for managing ‘orphaned’ clients varied. • Wide approach to TCF , in particular in relation to charges and retention of commission structures and adviser fees. Orphaned Clients - FSA expectations • Establish procedures to record and provide MI to relevant stakeholders. • Write to ‘orphaned’ clients informing of position and potential implications. • Develop approach to TCF , including ‘trail commission’ arrangements. • Report to Board, at least annually, on ‘orphaned’ clients and treatment.