The pandemic has put many things on hold – holidays, weddings, house moves – but not the requirement to provide staff with AML/CFT training. As we head towards September, and people’s minds turn towards a new school term, I am getting an increasing number of enquiries about training. And I have noticed something interesting happening with my Guernsey clients. For the first time ever – and I’ve been working there for two decades – clients are asking me to guarantee that my training will meet the requirements of the regulator. Now, in principle, I of course have no problem with this: I am happy to do my very best to make sure that a regulator would be happy to know that a firm is getting its AML/CFT update from Grossey. But (a) why are firms in Guernsey suddenly exercised about this, and (b) is it actually possible to meet the regulator’s requirements?
The first question might be answered by reference to a document published in 2016 by the Guernsey Financial Services Commission: “Training Thematic Review: Report of Findings”. In this, the regulator shared its findings from 62 local firms on the topic of AML/CFT training, and – with regard to the content of such training – made this observation: “The Handbooks stipulate the topics which training must cover as a minimum [and] in reviewing the questionnaires completed by firms and the training materials provided by those firms visited, the Commission noted that training covered most of these factors.” And that was five years ago. So it’s still a mystery – perhaps the GFSC has recently said something unofficially to firms about training not covering the right ground. So just what is the right ground?
And this is where I struggle when firms ask me to confirm that my training will cover it all. When you turn to the Handbook, the demands around AML/CFT training for regular staff – not Board members, or MLROs – are many:
The ongoing training provided by the firm shall cover –
(a) the Relevant Enactments, Schedule 3 [the AML requirements] and this Handbook,
(b) the personal obligations of employees, and partners, and their potential criminal liability under Schedule 3 and the Relevant Enactments,
(c) the implications of non-compliance by employees, and partners, with any rules (including Commission Rules), guidance, instructions, notices or other similar instruments made for the purposes of Schedule 3, and
(d) the firm’s policies, procedures and controls for the purposes of forestalling, preventing and detecting ML and FT.
In addition to the requirements of [the paragraph] above, the firm must ensure that the ongoing training provided to relevant employees in accordance with Schedule 3 and this Handbook also covers, as a minimum:
(a) the requirements for the internal and external disclosing of suspicion;
(b) the criminal and regulatory sanctions in place, both in respect of the liability of the firm and personal liability for individuals, for failing to report information in accordance with the policies, procedures and controls of the firm;
(c) the identity and responsibilities of the MLRO, MLCO and Nominated Officer;
(d) dealing with business relationships or occasional transactions subject to an internal disclosure, including managing the risk of tipping off and handling questions from customers;
(e) those aspects of the firm’s business deemed to pose the greatest ML and FT risks, together with the principal vulnerabilities of the products and services offered by the firm, including any new products, services or delivery channels and any technological developments;
(f) new developments in ML and FT, including information on current techniques, methods, trends and typologies;
(g) the firm’s policies, procedures and controls surrounding risk and risk awareness, particularly in relation to the application of CDD measures and the management of high risk and existing business relationships;
(h) the identification and examination of unusual transactions or activity outside of that expected for a customer;
(i) the nature of terrorism funding and terrorist activity in order that employees are alert to transactions or activity that might be terrorist-related;
(j) the vulnerabilities of the firm to financial misuse by PEPs, including the effective identification of PEPs and the understanding, assessing and handling of the potential risks associated with PEPs;
and (k) UN, UK and other sanctions and the firm’s controls to identify and handle natural persons, legal persons and other entities subject to sanction.
Now take into account that I am usually asked to provide a session lasting 90 minutes – two hours at the outside – because staff won’t tolerate anything longer, or because they just can’t be spared from their work. I am having to admit to clients that it’s just not possible to cover everything, unless they give me more time, or they fill in the gaps between training sessions with updates for their staff. I’ve sometimes been accused of speaking too quickly during training, and now you know why!