Equiom (Guernsey) Limited
26th July 2024The Financial Services Business (Enforcement Powers) (Bailiwick of Guernsey) Law, 2020 (the “Enforcement Powers Law”)
The Regulation of Fiduciaries, Administration Businesses and Company Directors, etc (Bailiwick of Guernsey) Law, 2020 (the “Fiduciaries Law”)[i]
The Criminal Justice (Proceeds of Crime) (Financial Services Businesses) (Bailiwick of Guernsey) Regulations, 2007 (the “Regulations”)
Schedule 3 to the Criminal Justice (Proceeds of Crime) (Bailiwick of Guernsey) Law, 1999 (“Schedule 3”)[ii]
The Handbook on Countering Financial Crime and Terrorist Financing (the “Handbook”)
The Finance Sector Code of Corporate Governance (the “Code of Corporate Governance”)
Equiom (Guernsey) Limited (the “Licensee” or the “Firm”)
On 19 July 2024, the Guernsey Financial Services Commission (“the Commission”) decided:
1. To impose a financial penalty of £455,000 on the Licensee under section 39 of the Enforcement Powers Law; and
2. To make this public statement under section 38 of the Enforcement Powers Law.
The Commission considered it reasonable and necessary to make these decisions having concluded that the Licensee had failed to ensure compliance with the regulatory requirements and failed to meet the Minimum Criteria for Licensing pursuant to Schedule 1 of the Fiduciaries Law.
Background
The Licensee was established in Guernsey in August 1976 and undertakes fiduciary activities under a full fiduciary licence issued in November 2001.
In May 2019, the Licensee’s ultimate parent company was acquired by a private equity investor, which remained in place until August 2022, until it was then acquired by its current majority shareholder.
In January 2020, another licensed fiduciary (“Fiduciary A”) amalgamated with the Licensee, although for a number of years prior to that date the two licensees were sister companies and had common staff and procedures.
The Licensee is a large business with a high-risk appetite and a significant number of high-risk relationships. As at 30 June 2021, approximately 68% of its business relationships were high-risk. A significant number of clients were from, or linked to, jurisdictions which are regarded as posing a higher risk of money laundering, terrorist financing and/or bribery and corruption. A number of clients were allegedly involved in criminal activity according to media reports.
The Commission visited the Licensee in 2017 (“the 2017 Visit”) and identified a number of issues, including:
- That the composition of the board of the Licensee was not appropriate, in particular due to the number of recent resignations of executive directors, the geographical separation of further executive directors and that no Guernsey based director was responsible for compliance and risk;
- The number of ongoing financial crime related projects, including a project to review all customer due diligence (“the CDD Project”), a project to clear a backlog of overdue periodic reviews and resulting action points and a project to review the Licensee’s policies, procedures and controls; and
- Contraventions of the Regulations and Handbook in the client files reviewed. These related to a lack of regular relationship risk assessment reviews, lack of appropriate CDD, lack of reasonable measures to establish source of wealth and source of funds and lack of ongoing and effective monitoring.
The Licensee was required to complete a remediation programme following the 2017 Visit.
The Commission visited the Licensee again in 2021 (“the 2021 Visit”) and identified similar issues to those identified at the 2017 Visit. In particular, the Commission identified:
- An inappropriate board composition and an under-resourced board. At the time of the 2021 Visit, there was only one executive director based in Guernsey. The Commission also noted that there had been seven resignations from the board and only one appointment over the last two calendar years;
- A backlog of periodic risk reviews and action points; and
- Deficiencies in the client files reviewed, including in relation to initial and periodic risk assessments, enhanced customer due diligence (“ECDD”) and monitoring of transactions and activity.
The Commission’s investigation began following the 2021 Visit.
Findings
The Commission’s investigation found that the board of the Licensee was ineffective in the period 1 January 2018 to 7 September 2023 (“the Relevant Period”), being at times under-resourced and that the Licensee did not have an adequate number of staff with the skills, knowledge and experience to fulfil the Licensee’s duties. However, during the latter stages of the Relevant Period and subsequently, steps have been taken to improve the board effectiveness. The board has also been relatively stable in the last 12 months.
The ineffective board and the lack of adequate staff resulted in the Licensee failing to monitor and manage the financial crime risks associated with its customers as required by Schedule 3 and the rules within the Handbook (“the Rules”). This was particularly concerning due to the size of the Licensee’s business and the large proportion of high-risk clients.
Following a number of acquisitions, with little apparent attention paid to synergies or post-acquisition integration, and the takeover of the ultimate parent company by the then private equity investor, cost cutting measures, including redundancies, were imposed on the Licensee through 2018 and 2019 when it was already under-resourced and the Licensee was under pressure to upstream funds. This resulted in the ultimate parent company and its private equity investor in place at the time appearing to the Commission to be more interested in its own financial position than with the Licensee’s compliance with the Bailiwick’s regulatory framework.
In particular, the Commission found:
The Licensee failed to have an effective board responsible for governance
The Minimum Criteria for Licensing requires a licensee to have an appropriate number of executive and non-executive directors having regard to the nature and scale of its operations.
The Minimum Criteria for Licensing also requires a licensee to have at least two individuals resident in the Bailiwick effectively directing the business.
The Code of Corporate Governance requires a licensee to have an effective board responsible for governance.
In the Relevant Period, twenty directors were appointed to the board and twenty directors resigned, a significant turnover of directors in a five-year period for a large firm with a high-risk book of business. The frequent changes in the board of the Licensee highlights that the composition of the board was not appropriate to the circumstances of the company and the nature and scale of its operations.
The significant turnover of directors resulted in the Licensee not being headed by an effective board. In particular, the constant changing of directors meant no director could take ownership and ensure that the remediation following the 2017 and 2021 Visits was completed satisfactorily.
For a period of eight months between October 2021 and June 2022, the Licensee only had one Guernsey based director.
As noted below, the Licensee had a significant turnover of staff and a lack of sufficient staff resources. However, the Licensee board was ineffective in resolving this serious issue during the Relevant Period. The Commission noted that any new staff, including replacements for leaving staff, had to be approved by the Licensee parent company. Approval was often delayed and at times refused resulting in the Licensee not being in a position to resolve staffing issues.
In addition, despite the Licensee being aware of staffing issues, a number of staff were made redundant in 2019. The redundancies were imposed by the parent company and the Licensee board were ineffective in preventing the redundancies.
The board of the Licensee are responsible for the proper running of the company, not the shareholders.
The Licensee failed to have staff of adequate number, skills, knowledge and experience
The Minimum Criteria for Licensing requires a licensee to conduct its business in a prudent manner. This includes a licensee having staff of adequate number, skills, knowledge and experience to undertake and fulfil the duties of a licensee.
In the Relevant Period, the Licensee had a significant turnover of staff, including a turnover of 50% or more in each of two consecutive years.
The Licensee board was often informed of and discussed a lack of staff resources in the Relevant Period. At the same time, the Licensee board was also informed of and discussed backlogs of periodic reviews and relationship risk assessment reviews, which were essential given the high-risk nature of the Licensee’s business. The backlogs, which were never rectified in the Relevant Period, demonstrated that the Licensee did not have staff of adequate number, skills, knowledge and experience to fulfil its duties.
The redundancies made in 2019 had the obvious effect of making the staff resourcing issues worse. Requests by the Licensee board for additional staff after the redundancies were at times refused by the parent company.
The Licensee failed to have effective policies, procedures and controls
Schedule 3 requires firms to have in place effective policies, procedures and controls to identify, assess, mitigate, manage and review and monitor its money laundering and terrorist financing risks.
Schedule 3 also requires firms to establish and maintain an effective policy, for which responsibility is taken by the board, for the review of its compliance with the requirements of Schedule 3 and the Handbook and such policy shall include provision as to the extent and frequency of such reviews.
In addition, following the introduction of Schedule 3 and the new Handbook in March 2019, firms were required to review and revise their policies, procedures and controls to comply with Schedule 3 and the new Handbook by 30 September 2020.
Prior to the Commission’s visit in 2021, the Licensee informed the Commission that it had not updated its policies, procedures and controls in line with the new Handbook.
The Commission’s review of a number of client files demonstrated that the Licensee’s policies, procedures and controls were not always effective. These are highlighted in the client examples below.
The fact that issues, for example, the backlog of relationship risk assessments and periodic reviews, were never remediated during the Relevant Period despite being raised with the board on a number of occasions, demonstrates that the Licensee’s policy of reviewing its compliance with Schedule 3 and the Handbook was not effective.
The Licensee failed to regularly review relationship risk assessments
Paragraph 3(4)(b) of Schedule 3 requires firms to regularly review relationship risk assessments so as to keep them up to date and where changes are required, to make those changes.
The Licensee’s policies, procedures and controls require high-risk clients to be reviewed annually, standard risk every two years and low risk every three years.
Reports to the Licensee board often referred to a backlog of relationship risk reviews, in particular from 2020 onwards following the redundancies in 2019. For example, there were 216 reviews outstanding in January 2020 and 596 outstanding in quarter 3 of 2021. The backlog of relationship risk assessments was evident in the client files reviewed by the Commission.
For the purposes of this public statement, the Commission provide examples of three such relationships only to depict the types of failings that were systemic within the Licensee.
Example 1
Client 1 is a high-risk individual from a Central American country who was once the subject of open-source information that alleged he was involved in drug trafficking and laundering the proceeds. In addition, Client 1 had received a significant financial penalty from another financial services regulator in the past in relation to providing misleading information regarding his acquisition of a bank. Fiduciary A [which subsequently amalgamated with the Licensee] was aware of these issues when it took on Client 1.
Client 1 settled a trust in 1998. Fiduciary A provided administration services to the trust from 2007 and the Licensee provided administration services from January 2020 following the amalgamation of the Licensee and Fiduciary A.
During the course of the relationship with Client 1, there were a number of potential red flags, including a number of enquiries from law enforcement authorities either directly with the Licensee or in relation to Client 1’s other business interests, which the Licensee became aware of.
Despite the adverse media and continuing interest of law enforcement in Client 1, the Licensee’s records show that as at 30 March 2022 the last relationship risk assessment had been carried out on Client 1 in July 2019. As a high-risk relationship it should have been reviewed at least twice during that period according to the Licensee’s procedures.
The failure to conduct a review of this high-risk client for three years, represented a serious failing by the Licensee and also demonstrated the ineffectiveness of its policies, procedures and controls.
The trust ceased to be a client of the Licensee in December 2022.
Example 2
Client 2 is a high-risk Russian client and a politically exposed person (“PEP”) who has subsequently been arrested for embezzlement.
Client 2 settled a trust in April 2002. The Licensee has been trustee since the formation of the trust.
A relationship risk assessment that should have been conducted in January 2020 was not actually started until January 2021 and was not signed off until October 2021, nearly two years late. The relationship risk assessment notes that the reason for the delay was lockdown and workload pressures, corroborating the reports to the board that backlogs in reviews were, at least in part, due to resources.
The previous relationship risk assessment was from February 2019 and was in the form of a risk scoring sheet. However, there is no reference to a risk scoring sheet in the Licensee’s procedures at that time, which required the completion of a detailed risk assessment form. The fact that a different risk assessment form was being used to that in the procedures demonstrates the ineffectiveness of the Licensee’s policies, procedures and controls.
Example 3
Client 3 is a Russian national employed by a private equity group owned by another Russian client (“Client 4”). Client 3 was rated as high-risk by the Licensee.
Client 3 owned a company (“Company A”), to which Fiduciary A provided administration services and corporate directors from 2012. The Licensee continued to provide administration services and corporate directors following the amalgamation of the Licensee and Fiduciary A in January 2020.
Company A acted as a guarantor for a loan obtained by Client 3 in relation to a separate property transaction.
According to the Licensee’s relationship risk assessment, the source of funds and source of wealth in Company A was Client 3’s employment with the private equity group and consultancy agreements with other companies owned by Client 4.
However, documents on the file show that the Licensee was aware that the source of the funds within Company A was actually Client 4 and not Client 3.
In April 2022 Client 4 was added to the European Union and United Kingdom lists of sanctioned individuals following the invasion of Ukraine.
The funds in Company A were subsequently used to repay the loan obtained by Client 3 for the separate property transaction. This resulted in Client 4’s funds being used to purchase Client 3’s property.
Paragraph 3(5)(a) of Schedule 3 requires a firm to take into account risk factors relating to the product, service, transaction and delivery channel. In addition, Rule 80 of Chapter 3 of the Handbook requires licensees to also consider the purpose and intended nature of the business relationship and the type, volume and regularity of activity expected. The Licensee failed to consider in its risk assessments the risk that Client 3 was being used as a nominee for Client 4 or that this was a method of disguising the transfer of value from Client 4 to Client 3.
Company A ceased to be a client of the Licensee in November 2023.
The Licensee failed to undertake reasonable measures to establish source of funds and source of wealth
Paragraph 5(1) of Schedule 3 requires firms to undertake ECDD for high-risk customers. This includes undertaking reasonable measures to establish the source of funds and source of wealth of the customer.
The Licensee’s policies, procedures and controls require that the source of funds and source of wealth be established. The policies, procedures and controls also state that it would not be a reasonable measure to accept a client’s responses to source of wealth and source of funds questions at face value. The policies, procedures and controls give some examples of acceptable verification of source of wealth.
The Licensee’s policies, procedures and controls also make clear that the CDD and ECDD requirements apply to existing customers and that any deficiencies identified during reviews should be remediated within a reasonable time frame.
Following the release of the Commission’s Thematic Report on Source of Funds and Source of Wealth in the Private Wealth Management Sector in July 2020, the Licensee commenced a project to review all high-risk clients to ensure the source of wealth and source of funds information held met the requirements of Schedule 3 and the Handbook. This included producing a summary memorandum for the file and sourcing information from archived files, open-source resources and obtaining further documentary evidence from the clients or their advisers (“the Source of Funds and Source of Wealth Project”). The Source of Funds and Source of Wealth Project was undertaken as part of the Licensee’s review of clients required by Rule 27 of Chapter 17 of the Handbook following the introduction of Schedule 3 and the new Handbook in 2019. This required all clients to be reviewed by 31 December 2021, with paragraph 26 of the Handbook giving guidance that high-risk clients should be reviewed by 30 June 2021. The Licensee confirmed to the Commission in July 2021 that all high-risk clients had been reviewed and memorandums produced.
Therefore, by July 2021, all high-risk client files should have contained evidence that reasonable measures to establish source of funds and source of wealth had been undertaken.
A number of files reviewed by the Commission showed that reasonable measures had not been undertaken to establish source of wealth or source of funds despite the project undertaken. This demonstrates that the Licensee’s policies, procedures and controls in relation to source of funds and source of wealth were ineffective.
Example 4
As noted above, Client 1 was a high-risk client from a Central American country, who had, at one stage, been suspected of laundering money for drug cartels.
The memorandum for Client 1, produced in June 2021 as part of the Source of Funds and Source of Wealth Project, stated that it was not always possible to obtain documentary evidence for all of the source of funds and source of wealth due to the length of time the structure had been in existence. The memorandum also noted that the Licensee would not now be in a position to request further documentation on the original source of wealth and source of funds to the level required by Schedule 3 and the Handbook due to the length of time the trust had been in existence.
The memorandum in relation to Client 1 is an admission that it had not undertaken reasonable measures to establish source of funds and source of wealth and it had no intention of doing so, despite its own policies, procedures and controls and Rule 28 of Chapter 17 of the Handbook. This demonstrates the ineffectiveness of the Licensees’ policies, procedures and controls.
The memorandum concludes, “There has been much adverse publicity against [Client 1] claiming that he deals in drugs and launders money. However, there has been no evidence to support these allegations. Much of the money added to the structure has been since the sale of [the bank owned by Client 1]. We do not suspect that the funds in the structure have originated from illegal activities.”
Given the Licensee’s knowledge of the allegations of money laundering and the admission that it had not undertaken reasonable measures to establish source of funds and source of wealth, it is difficult to see how the Licensee came to the conclusion that there was no suspicion that the funds originated from illegal activities.
Example 5
Client 5 is a Russian businessman and was formerly a senior manager in a large company. Client 5 settled a trust in 2009. Fiduciary A acted as trustee from the formation of the trust and the Licensee continued as the trustee following the amalgamation of Fiduciary A with the Licensee in January 2020.
Client 5 has been rated as high-risk by the Licensee since take on, which means the Licensee was always required to undertake ECDD including taking reasonable measures to establish source of wealth and source of funds.
The only information the Licensee held in relation to the source of wealth and source of funds of Client 5 was a letter from Client 5 himself and a third-party due diligence report.
The memorandum produced as a result of the Source of Funds and Source of Wealth Project in January 2021 also only refers to the letter from Client 5 and the third-party due diligence report and did not evidence any attempts to obtain further source of wealth information by the Licensee. In addition, the memorandum evidences that the Licensee was not fully aware of the source of approximately US$48 million paid into the aforementioned trust. For example, funds were received from an unknown account in 2010 and the Licensee had requested the name of the account holder from Client 5 in 2021, to which no further information had been provided.
The Licensee accepted Client 5’s letter as evidence of source of wealth despite its policies, procedures and controls stating that this is not acceptable. The policies, procedures and controls required source of funds and source of wealth information to be verified, that any deficiencies identified had to be remedied within a reasonable time and applied to existing customers.
The Source of Funds and Source of Wealth Project should also have identified the reliance on Client 5 to provide his [Client 5’s] source of wealth. This was not identified until a Risk Committee meeting in November 2021 when Client 5 was discussed, as adverse media had been discovered. The adverse media stated that Client 5 was suspected of embezzling significant funds from another state-owned company.
Despite the Risk Committee raising concerns with the source of wealth and source of funds, the Licensee decided to retain Client 5 as a client.
The trust ceased to be a client of the Licensee in November 2023.
The Licensee failed to effectively monitor transactions and activity
Paragraph 11(1) requires firms to perform ongoing and effective monitoring of any business relationship, including scrutinising transactions or other activity to ensure the transactions are consistent with the firm’s knowledge of the customer.
As part of the Licensee’s monitoring policies, procedures and controls, periodic reviews were undertaken on a risk basis. High-risk clients were to be reviewed annually, standard risk every two years and low risk every three years.
As with the relationship risk assessment reviews, reports to the Licensee board often referred to a backlog of periodic reviews, in particular from 2020 onwards following the redundancies in 2019.
Example 6
Despite the previously mentioned Client 1 being rated high-risk and the Licensee being aware that Client 1 had in the past been suspected of laundering the proceeds of crime, the only periodic review on the file following the amalgamation of Fiduciary A with the Licensee was dated March 2022. The periodic review was unsigned when the Licensee’s stated procedure was for periodic reviews to be signed off by senior management.
The Licensee also used various forms to review transactions at the time they occurred, such as asset purchases or sales. For example, the previously mentioned trust settled by Client 1 acquired a car for almost €3 million in August 2019, which was recorded on an Asset Purchase or Sales Form. However, in an email from January 2020 in relation to how to account for the purchase of the car, it was explained that the car had been transferred from the trust to another of Client 1’s trusts and then used to part repay a loan to a company owned by that other trust. These relevant further details were not documented on the Asset Purchase or Sales Form which demonstrates that this monitoring tool was ineffective.
Example 7
A periodic review of Client 2 [the high-risk Russian client and PEP] was completed in February 2019. The next review was not completed until October 2021, nearly two years after it was due according to the Licensee’s policies, procedures and controls, despite Client 2 being rated high-risk.
The trust, settled by Client 2, owned a company (“Company B”). Company B made a number of loans to other parties, including parties also owned by Client 2 or related persons. As part of the CDD Project, the Licensee attempted to obtain further details of the loan counterparties. However, the representatives of Client 2 noted that a number of the counterparties had been put into liquidation or struck off a number of years previously or had not been dealt with for a number of years. Company B itself was struck off in November 2019, leaving the trust with no assets.
The fact that the Licensee was unaware that some of the counterparties to loans made were in liquidation or that there had not been contact for a number of years clearly shows that the Licensee was not monitoring the transactions and activity of Company B and Client 2’s trust .
The lack of monitoring of the loans made by Company B was a serious failing given the writing off of loans is a known potential red flag for money laundering. Given Client 2’s subsequent arrest for embezzlement, this could have given rise to the Licensee being used to facilitate the laundering of the proceeds of crime.
Aggravating Factors
The Licensee had a large book of business and a high-risk appetite with a significant number of high-risk clients, including a number of clients suspected of being involved in criminality.
The issues identified following the 2021 Visit and in the investigation were repeats of the issues identified following the 2017 Visit, despite the remediation undertaken by the Licensee.
With such a high-volume, high-risk book of business, the Licensee required an effective board and sufficient staff resources appropriate to the circumstances of the company and the size, nature and complexity of its business. It did not have this during the Relevant Period, which contributed significantly to the backlog of relationship risk assessments and periodic reviews. The ultimate parent company and its private equity investor in place at the time appeared to be more interested in its own financial position and the upstreaming of funds than the Licensee’s compliance with the Bailiwick’s regulatory framework. Given the significant number of high-risk clients, this exposed the Licensee to the real risk of being used in the laundering of criminal proceeds or the financing of terrorism and posed a risk to the reputation of the Bailiwick as in international finance centre.
The Commission was not informed of the serious staff resourcing issues. Given the seriousness of the issues, the Commission would have expected to have been informed of the issues together with a plan to mitigate the risks.
During the Relevant Period (1 January 2018 to 7 September 2023), twenty directors resigned, and twenty directors were appointed. No directors have served for the entirety of the Relevant Period. This was predominantly due to the environment that the 2019 Private Equity investor shareholder created, including a failure to adequately integrate recently acquired different businesses with different cultures.
Mitigating Factors
The Licensee identified some of the issues and informed the Commission prior to the 2021 Visit. In particular, the Licensee informed the Commission of the failure to update policies, procedures and controls following the introduction of Schedule 3 and the revised Handbook, the failure to review regularly review relationship risk assessments, and the failure to be effectively directed by two individuals resident in the Bailiwick.
The Licensee took steps to remedy the issues following both the 2017 Visit and the 2021 Visit, including hiring third parties to review or assist with their remediation. However, the repeat issues identified following the 2021 Visit demonstrate that the remediation was not effective following the 2017 Visit.
The remediation following the 2021 Visit is ongoing. The Licensee has taken substantial steps and invested significant resources attempting to remediate the failings identified in this public statement. The Licensee appointed a third party, at the Commission’s direction, to provide leadership, project management and assurance of the remediation.
The remediation includes exiting a large number of clients, including those examples referred to above.
Steps have been taken to improve the board effectiveness under a new leadership team, and a new majority shareholder all of whom came in after the 2021 Visit. The board has also been relatively stable in the last 12 months. In addition, staff turnover has reduced over the last 12 months. Contractors have also been brought in to assist with remediation and the exiting of business.
At all times, the Licensee has cooperated fully with the Commission and agreed to settle at an early stage of the process and this has been taken into account by applying a 30% discount in setting the financial penalty.