BMA Levies Civil Penalties On Meritus Trust
The Bermuda Monetary Authority [BMA] has levied civil penalties totalling $600,000 on Meritus Trust Company Limited.
A spokesperson said, “The Bermuda Monetary Authority [BMA] has levied civil penalties totalling $600,000 on Meritus Trust Company Limited [Company], a local entity licensed under:
- The Trusts [Regulation of Trust Business] Act 2001 [Trusts Act]
- The Corporate Service Provider Business Act 2012 [CSPB Act]
“The civil penalties have been levied on the Company for failures to adequately comply with certain obligations imposed on it under the Proceeds of Crime [Anti-Money Laundering & Anti-Terrorist Financing] Regulations 2008 [AML/ATF Regulations], the Trusts Act and the CSPB Act. The Company has since remediated the identified breaches to the satisfaction of the Authority.
“Following virtual on-site inspections conducted in July 2022 [AML/ATF and Prudential], the Authority identified a number of breaches relating to the Company’s obligations under the AML/ATF Regulations, the Trusts Act and the CSPB Act [and corresponding regulations].
“The Company did not adequately comply with all requirements of the AML/ATF Regulations. In particular, in relation to:
- Internal controls which failed to recognise that maintenance of an independent audit function through the appointment of an independent third party amounts to outsourcing as defined in the AML/ATF Regulations
- Insufficient risk rating of all its products and services
- Inappropriate customer risk assessments
- Inadequate documentation of policies and procedures – which did not recognise that the Company’s complex business requires it to have more robust and sophisticated governance and internal control frameworks than it did
- Not having all Customer Due Diligence [CDD] information available to the Authority during on-site inspections
- Insufficient evidence of ongoing monitoring screening in a small number of files
- An overreliance on manual processes for PEP screening
- Insufficient documentation of reliance on third parties to provide CDD to the Company
- Training which was not adequately documented in the customer risk assessment processes
- An overreliance on manual processes to implement international sanctions policies and procedures and sanctions screening
“Further, the Company failed to meet certain minimum criteria for licensing requirements under the Trusts Act and the CSPB Act namely, conducting its business in a manner that fully complied with prudent business requirements and implementation of adequate corporate governance policies and systems of control consistent with the nature of the Company’s risk profile.
“The Authority required the foregoing breaches to be remediated by 31 July 2023 [or as extended, such approval was granted]. The Company complied within the requisite timeframe and with the Authority’s directions in a timely and expeditious manner throughout the process of remediating the breaches. The Authority has since confirmed to the Company its closure of the on-site due to the successful remediation.
“This matter highlights the importance of licensees implementing appropriate and up-to-date AML/ATF policies and procedures in order to avoid the risk of financial products or legal structures being used as a vehicle for money laundering or terrorist financing along with the expectation that its trust and corporate services business is at all times compliant with the requisite minimum criteria for licensing obligations.
“The Authority took into consideration the nature of the breaches as well as comparable cases in determining the appropriate level of civil penalties to impose.
“In addition, the Authority had regard for the following mitigating factors:
- 1. The Company’s commitment to ensuring that high standards are applied at all times and its overall culture of compliance;
- 2. The breaches were, for the most part, related to insufficient sophistication pertaining to processes, including how they are documented;
- 3. The risk of loss to clients, which was determined to be low;
- 4. The manner in which the Company complied with direction and cooperated with the Authority throughout the remediation process, including the provision of regular updates; and
- 5. The implementation of measures to prevent the recurrence of the identified breaches.”
