17 Mar When familiar failings become major enforcement cases

What Guernsey firms should learn from recent GFSC outcomes

In an earlier article, I explored how an enforcement action is rarely a cliff-edge event. More often, it is the endpoint of a supervisory story that has gone off-course: control failure, credibility failure and tempo failure combine until the regulator no longer has confidence that the matter will be resolved through ordinary supervision. That is still the right starting point. But it leaves a further question: why do some familiar issues become major enforcement cases, while others do not? (consultgc.gg)

The answer is not usually novelty.

In financial crime enforcement, the underlying failings are often entirely recognisable: weak client risk assessment, ineffective monitoring, poor treatment of red flags, weak oversight of higher-risk business, and remediation that is slower or thinner than first presented. What tends to distinguish the most serious cases is something else. It is the duration of the failing, the number of opportunities to put it right, the quality of the response, and the point at which a technical weakness stops looking like a compliance issue and starts looking like a governance problem.

That is why the GFSC’s public statement on Utmost Worldwide Limited, Mr Leon Steyn and Mr James Watchorn matters. The headline figure is striking: a £1.96 million penalty on the firm, together with penalties of £35,000 on Mr Steyn and £10,500 on Mr Watchorn, and a prohibition preventing Mr Watchorn from acting as MLRO/MLCO for one year and five months. The Commission described the failings as serious and systemic, spanning 2015 to 2025. (gfsc.gg).  It is also worth bearing in mind that, given the GFSC’s published discount regime for early settlement and the statement’s reference to settlement at the earliest opportunity as a mitigating factor, the published penalties may already reflect settlement credit.

But the scale of the financial penalty, while important, is not the most revealing feature of the case.

The failings are familiar. The persistence is not.

The failings described in the Utmost statement are not novel in a narrow technical sense, but they are more significant than a standard list of AML/CFT weaknesses might suggest. The GFSC’s concern appears to have been not simply that there were deficiencies in relationship risk assessment, review coverage, suspicious activity reporting and the treatment of red flags, but that those deficiencies reflected a deeper failure to align the control environment with the real financial crime risk of the business. As the statement puts it, the fundamental issue was that the Licensee underestimated the degree of financial crime risk in its life insurance business. On that footing, the failings were not isolated defects. They extended to whether the Licensee had established and maintained effective procedures and controls to forestall, prevent and detect money laundering and terrorist financing and, where necessary, to report suspicion, and whether it had conducted its business with prudence and professional skill in relation to one of its third-party brokers. That is what gives the case its weight: the public statement reads less like a finding of discrete control gaps and more like a finding that the firm’s financial-crime and third-party risk framework was not adequately calibrated to the real risk profile of the business.

What public statements consistently show

Utmost does not sit outside the existing line of GFSC cases. It sits within it.

A useful comparator is Confiànce. There too, the Commission identified familiar AML/CFT failings, including failures to undertake and regularly review relationship risk assessments and failures to conduct effective ongoing monitoring. More importantly, the Commission said it had already identified similar failings in 2010, and that a further visit in 2013 also resulted in remedial steps, yet the 2015 visit found those failings had still not been addressed appropriately in all instances.

That matters because it supports the broader proposition that repeat failings and ineffective remediation materially aggravate the case.

Zedra is instructive for a different reason.  The Commission there identified familiar themes as well: ineffective risk assessment, failures to understand ownership and control, inadequate enhanced measures, poor treatment of red flags, and insufficient regard to internal compliance concerns.  But the Commission expressly said the findings related to one client file, were serious in nature but not systemic, and covered a very short period of time.[1] The penalty was correspondingly smaller: £90,000 on the firm and £15,000 on Mr Borman, together with a two-year prohibition and disapplication.

Zedra is therefore useful not because it mirrors Utmost, but because it shows what seriousness looks like when the case is narrower in scope, shorter in duration and not characterised as systemic.

Safehaven adds a further dimension. There, the Commission described the business as inherently high risk, given the services provided and the profile of its clients, including PEPs and clients connected to high-risk countries. It imposed penalties of £100,000 on the firm, £50,000 on Mr Bach, £10,000 on Mr Good, £10,000 on Mr Whitworth, £5,000 on Miss Ozanne and £1,000 on Mr Dickinson, with lengthy prohibitions on Mr Bach and Miss Ozanne.

Safehaven is a reminder that where a business model itself carries elevated financial crime risk, the regulator expects more than formal controls. It expects sound judgment, challenge and escalation equal to the risk.

When a controls issue becomes a governance issue

This is the deeper lesson running through these cases.

At an early stage, a matter may still look like a technical compliance issue. A review is commissioned. A remediation plan is launched. Governance structures are created. Reporting improves. But regulators are not assessing whether a firm can generate activity. They are assessing whether the firm has a real grip on the underlying risk, whether management’s account of progress is reliable, and whether the board is being shown the true picture.

That is where firms often come unstuck.

A remediation programme can appear busy while leaving the core risk largely intact. A board can receive extensive reporting without being shown the real level of slippage, uncertainty or residual exposure. A control function can identify red flags without securing meaningful management action. Over time, those features stop looking like programme-management issues and start looking like governance weaknesses.

That is usually the point at which a matter changes character. The question is no longer simply: what is the control failing? It becomes: why was this still happening after repeated opportunities to fix it?

Utmost matters because the public statement appears to capture exactly that shift.

The practical message for boards and senior management

For firms in Guernsey, and more broadly across the Crown Dependencies, the practical implications are clear.

First, firms should not assume that familiar failings are low-consequence failings. Regulators see these themes repeatedly. That can make them more serious, not less, when they recur.

Second, prior findings and partial remediation should be treated as major warning signs. Once similar issues have been identified more than once, the future case will often be judged through the lens of what the firm knew and what it failed to do with that knowledge.

Third, boards should focus less on whether a remediation programme exists and more on whether there is genuine traction over the underlying risk.

Fourth, firms should be particularly careful with legacy business, inherited distribution models and longstanding assumptions about client risk. Historic problems do not become less serious because the business has evolved away from the model that created them. In some cases they become more serious, because the unresolved legacy position itself becomes a regulatory concern.

The wider point

The most serious AML/CFT enforcement cases are often not those involving the most unusual failings. They are the ones in which familiar failings were allowed to harden into a pattern.

That, in my view, is the real significance of Utmost in context. The failings are not what makes the case remarkable. The persistence of the failings is. And for firms that want to stay out of enforcement, that is the point worth studying most closely.

For firms facing issues of this kind, the challenge is rarely just technical remediation. The more difficult task is understanding how the regulator is likely to view the issue, demonstrating credible progress, and restoring confidence before concerns harden into enforcement. ConsultGC advises regulated businesses, boards and senior individuals on regulatory risk, remediation strategy, supervisory engagement and enforcement matters, with a particular focus on helping clients bring clarity, credibility and control to situations where the stakes are already high.

[1] 1 January 2020 to 31 December 2021.