Guernsey: New Independent Compliance Audit Requirement In Guernsey

The Guernsey Financial Services Commission ("GFSC") updated its Handbook on Countering Financial Crime and Terrorist Financing (the "Handbook") in early July 2023 and the updates included a new requirement for a "specified business" to establish and maintain an independent compliance audit function. To read more about the further changes to the Handbook, read our briefing.

What businesses does the compliance audit requirement relate to?

The new compliance audit requirement applies to all "specified businesses", being either a "financial services business" such as a business that is licensed under any of Guernsey's regulatory laws, or a "prescribed business" such as estate agents and, in relation to certain activities, lawyers and accountants.

What is the new requirement?

Specified businesses are required to, where appropriate, establish an independent audit function for the purpose of evaluating the adequacy and effectiveness of their policies, procedures and controls adopted by them to comply with Guernsey's AML/CFT legislation and the Handbook.

The requirement applies "where appropriate", and in deciding on the extent and frequency of any compliance audit, each business should consider its own money laundering and terrorist financing risks, as well as the size and nature of the business that it carries out.

Businesses are also required to introduce and maintain a compliance monitoring programme ("CMP") for the evaluation and monitoring of the adequacy and effectiveness of their compliance policies, procedures and controls.

What is the independent compliance audit function?

The independent compliance audit function introduces a new layer to the obligations put on boards of licensed bodies to ensure oversight and ongoing monitoring of compliance. The Handbook is expressly drafted to reflect that the size and position of this function will depend on the nature and size of the organisation, and will vary between businesses.

The independent compliance audit function must:

• examine and evaluate the adequacy and effectiveness of the policies, procedures and controls adopted by the business to comply with Guernsey's AML/CFT legislation and the Handbook; and
• report on and make recommendations to the board of the business in relation to those policies, procedures and controls.

Who can fulfil the independent compliance audit function?

The role can be filled internally or externally and consideration should be given to the size and nature of the business, and risk that the business takes on.

If appropriate, given the nature of the business and its size, the function can be fulfilled internally but not by:

• the MLCO;
• the MLRO where they have designed the policies or reviewed them, otherwise they can;
• any employee involved in the design of the CMP; or
• any employee involved in the day to day implementation of the CMP policies and procedures.

Notably, the function can be outsourced to an external service provider, subject to the GFSC's outsourcing principles and guidance.

If the function is carried out by an internal or group audit function, it must also monitor the business' compliance with the recommendations that it makes. If the function is carried out by an external party that is unable to further monitor the business' compliance with its recommendations, the responsibility for monitoring the business' compliance with its recommendations is assigned to the board.

What if a business does not have a separate independent audit team?

Where a business has an independent internal audit team, either at local or group level, then that team can fulfil the independent compliance audit function.

Where a business does not have an independent compliance audit function, either at local or group level to service the Guernsey business, the board are responsible to decide whether a delegation to an external service provider to exercise the evaluation of the entity's policies and procedure. The Handbook suggests that this is done at least annually, and if a decision is taken not to carry out the audit, then the rationale or such decision should be well documented and recorded. Such a decision should not be made solely on the basis that the size of the business is too small.

Walkers' comment

The changes signify Guernsey's ongoing commitment to meeting the highest international standards in relation to AML/CFT and sanctions.

The new function reflects that the GFSC recognises that compliance audits are not a 'one size fits all' service and that the scope of remit of audits varies considerably across industry.

Each specified business will need to consider and then monitor whether, taking into account its size together with its money laundering and terrorist financing risks, it should have an independent audit function to examine and evaluate its AML and CFT controls.

The nature and size of the business in question will dictate whether it is appropriate to have the independent audit carried out internally or externally, and how frequently the audit should be carried out. However, the board of the business should consider the position each year, and fully document their reasoning for having or not having an independent compliance audit for a particular year.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.