Chris Hutley-Hurst
Partner
Guernsey
This update provides an overview of the recent key publications, findings and reports issued during the last quarter.
You can find previous editions of our Regulatory updates via "read more".
Guernsey
Key developments
MONEYVAL report
1. On 10 February 2025, MONEYVAL, the Council of Europe’s permanent monitoring body, published Guernsey's 5th Round Mutual Evaluation Report (here). The report was a positive outcome for Guernsey, with MONEYVAL finding that:
(a) Guernsey obtained substantial effectiveness rating in 6 out of 11 "immediate outcome" categories and only obtained a low effectiveness rating in 1 category (investigation and prosecution of money laundering).
(b) Guernsey obtained a technical compliance rating of either largely compliant or compliant in each of the 40 categories.
2. On 10 February 2025, the States of Guernsey also published its own 'Summary perspective of the evaluation report' document (here) ("MONEYVAL Response"). This document notes that "authorities are already reflecting on the recommendations in the report and identifying any measures that need to be taken to address them".
3. Please see our earlier detailed article on they Guernsey MONEYVAL results, recommendations and next steps (here).
Guernsey Financial Services Commission ("GFSC")
4. On 7 February 2025, the GFSC published a consultation paper (here) proposing amendments to the Financial Crime Returns Rules ("FC Returns Rules”) which will make mandatory the filing of periodic returns for accountants, lawyers and estate agents.
5. In 2024, the GFSC undertook a thematic review to assess the effectiveness of controls over Client Money at investment and fiduciary licensees. On 13 February 2025, the GFSC published its findings for:
(a) investment licensees (here), concluding that the investment sector largely demonstrates good practice around the operation of client money bank accounts, highlighting that licensees relying on automated processes reported fewer breaches than those with manual procedures (due to human error); and
(b) fiduciary licensees (here), concluding that the fiduciary sector largely demonstrates good practice around the operation of client money accounts and noting that sometimes such accounts go overdrawn through no fault of the licensee, but the licensee should, nonetheless, consider measures to further mitigate this risk.
6. On 3 March 2025, the GFSC has updated the Handbook on Countering Financial Crime (AML/CFT/CPF) ("AML/CFT/CPF Handbook"), including amending the country list in Appendix I of the Handbook (here).
7. On 5 March 2025, the GFSC published Q4 2024 investment statistics (here), reporting that, inter alia, the total net asset value of Guernsey funds at the end of Q4 was £290.1 billion, an increase over the quarter of £1.3 billion (+0.5%).
Guernsey Competition and Regulatory Authority ("GCRA")
8. The GCRA has published new guidelines (6(b)) in relation to the merger and acquisitions procedure (here).
9. Sure and JTC have been successful in their appeal against the GCRA's decision that infringed the prohibition imposed by section 5(1) of the Competition (Guernsey) Ordinance, 2012, which relates to the prohibition on agreements between undertakings which have the object of preventing competition within any market in Guernsey for goods or services (here).
The Office of the Data Protection Authority ("ODPA")
10. The ODPA issued guidelines to combat phishing attacks (here).
11. On 20 January 2025, the ODPA issued a public statement in the form of a reprimand to Beauvior Limited regarding steps to protect outgoing mail (here). This public statement was in relation to the transmission of certain sensitive and personal information by Beauvior via ordinary mail which never reached the intended recipient and no formal breach report was filed. The reprimand sets out that entities should understand the risks involved with transmitting sensitive personal data, have a policy regarding outgoing mail, that sensitive information should be sent with an appropriate amount of security (i.e. via trackable mail service such as recorded delivery/courier that requires a signature indicating successful receipt), and where issues occur the entity should be able to quickly identify breaches and limit the potential impact on the affected data subject.
12. On 12 February 2025, the ODPA published a statement regarding IT system failures at the States of Guernsey. States of Guernsey have subsequently confirmed their completion of the recommendations (here) which followed the ODPA inquiry.
13. The ODPA has partnered in the launch of a new regulatory partnership, the Guernsey Consumer Cooperation Forum (the "GCCF") (here). The GCCF comprises the Office of Data Protection Authority, the Competition Regulatory Authority and the Channel Islands Financial Ombudsman, and will enable members to exchange best practices, conduct research and market analyses and collaborate on outreach and compliance matters of shared regulatory priority.
14. Breach statistics for the fourth quarter were published on 13 February 2025 (here), reporting a total of 33 personal data breaches which affected 4,914 people, however fewer people were affected by "high risk" breaches
Jersey
Key developments
Consumer credit regime
15. On 14 November 2024, the Government of Jersey ("GoJ") published a draft 'Financial Services (Jersey) Amendment Law 202-' (here) along with an accompanying explanatory note (here) and consultation paper (here).
16. On 1 March 2025, the GoJ published its response to the consultation (here). The response provides an indicative timeline for implementation, with the draft law expected to be lodged at the end of this month and come into effect in Q1 2026 with a 12-month transition period.
17. Prior to this, the GoJ will also run separate consultations on a suite of secondary legislation later in 2025, which will include draft orders and draft regulations including Debt Collection Regulations (largely in line with the standards already set in the voluntary code of conduct for debt collectors) and Unfair Terms Regulations (which will deal with matters such as high commissions and cooling-off periods, and which are intended, at this stage, to apply to consumer credit business irrespective of whether an activity is regulated under the proposed draft legislation or not).
18. The JFSC is also assisting with the development of a new consumer credit regulatory framework. On 7 February 2025, the JFSC requested (here) industry stakeholders to participate in the next round of collaborative working groups and contribute insights ahead of the JFSC's planned formal consultation later in the year, to allow for potential business impacts to be discussed and industry perspectives to be reflected.
Beneficial ownership update
19. On 21 February 2025, the Financial Services (Disclosure and Provision of Information) (Jersey) Law 2020 (here) was amended to facilitate the JFSC's disclosure of beneficial owner and controller information, stored on the obliged entity beneficial ownership register ("OEBO Register"), to "accessing parties". Access to the register is strictly controlled and limited to financial services businesses that are required to perform CDD functions under the Money Laundering (Jersey) Order 2008 ("Obliged Entities").
20. JFSC guidance (here) clarifies that only the lead administrator for Obliged Entities and their representatives will be permitted to access the OEBO register through myJFSC. This guidance also provides information on the role and responsibilities of the lead Obliged Entity administrator which, crucially, includes ensuring that access to the OEBO Register is only exercised for legitimate purposes.
21. Further recently issued JFSC guidance (here) sets out the evidence that Obliged Entities need to provide to the JFSC to demonstrate that their searches of the OEBE Register were for a legitimate purpose. Examples of evidence needed to support the legitimacy of a search include prospective and/or successful client/customer onboarding documentation. It is an offence for accessing parties to undertake searches of the OEBO Register without a legitimate purpose, or to fail provide supporting evidence, and the potential penalties include fines and imprisonment of up to 5 years. Care should also be given to demonstrating the evidence obtained has not been used for any other purpose, including maintaining appropriate internal policies on CDD limiting the use of information obtained.
JFSC 2025 business plan
22. On 17 February 2025, the JFSC published its 2025 business plan (here) following a launch event on 11 February 2025. Key takeaways include:
(a) the JFSC feeding into a GoJ review of Jersey’s economic competitiveness focussing on tax strategy, on-island regulatory improvements, and an external growth strategy;
(b) operational improvements including restructuring of fees (including an aim to provide more notice to industry of fee increases and upskilling staff to understand new tech and business models; and
(c) an acknowledgment that a stable regulatory environment is very important and international/off-island relationships are more critical than ever and staying at the forefront of international best practice, for example, by sending representatives to MONEYVAL's 6th round plenaries.
Legislative updates
23. On 1 January 2025, as noted in our previous update, the Multinational Taxation (Global Anti-Base Erosion – IIR Tax) (Jersey) Law 2025 and Multinational Corporate Income Tax (Jersey) Law 2025, being legislation to implement the OECD's global minimum tax rate of 15%, known as "Pillar 2", came into force in Jersey. This will apply to in scope multinational enterprises for fiscal years commencing on or after 1 January 2025.
For insights on the proposed approach to the implementation of OECD Pillar Two in Jersey please see our article here. The GoJ also continue to update published interim guidance on Jersey's approach to Pillar 2, which can be found here.
24. On 27 February 2025, the Sanctions and Asset-Freezing (Implementation of External Sanctions – Director Disqualification) (Jersey) Amendment Order 2025 ("Order") came into force. The Order follows an update to the UK's sanctions regime in May 2024 that introduced director disqualification ("DD") provisions (although no DD sanctions designations have yet been made under any UK sanctions regime) Further information on this is provided in the "Sanctions legislation update: director disqualification sanctions" in the Jersey Gazette (here). The Order sets out that, unless authorised by a licence, it will be an offence for a person subject to director disqualification sanctions to:
(a) act as a director of a Jersey company, or as a manager of a Jersey limited liability company; or
(b) directly or indirectly take part in or be concerned in the promotion, formation or management of a Jersey company or Jersey limited liability company.
Jersey Financial Services Commission
25. The JFSC published:
(a) on 20 January 2025, an industry update (here) identifying "seven common areas of non-compliance that should be relatively easy to address" highlighting, for example, that entities should not only conduct but also document the results of adverse media/open-source screening search results for PEP and sanctions searches even if to confirm that no hits were identified or hits were reviewed and confirmed as false positives (and the rationale for discounting hits);
(b) on 31 January 2025, a checklist (here) for an application for a CLO refinancing transaction, where the Jersey-domiciled issuer has previously received consent from the JFSC;
(c) on 4 February 2025, its latest newsletter for non-profit organisations ("NPOs") for Q3-Q4 2024 (here);
(d) on 7 March 2025, feedback on the JFSC's Q4 2024 registry supervision inspection programme (here) which involves registry supervision authenticating and verifying information held on the register, setting out common inaccuracies (e.g. failing to file updates within 21 days regarding directors' details when personal circumstances change) and good practices (e.g. keeping up-to-date due diligence documentation leads to accurate identification data being held and middle/maiden names being correct);
(e) on 7 March 2025, an updated prudential returns submission template for Jersey-incorporated banks updated 'Capital ratios - capital adequacy validation' guidance (here);
(f) on 27 March 2025, bitesize feedback for NPOs on diversion mitigation (here), setting out good practices (e.g. using a combination of diversification methods such as on-the-ground visits, receipts and photographs rather than over-reliance on a single method) and highlighting areas of improvement identified (e.g. insufficient evidence of how a donation is used such as reliance on anecdotal confirmations);
(g) on 28 March 2025, feedback on a 2024 examination on politically exposed persons ("PEPs") (here). The paper flagged that entities should consider their arrangements in respect of PEPs, particularly from a corporate governance perspective (ensuring the board can evidence adequate oversight) and a policies and procedures perspective (ensuring these are adequate and maintained); and
(h) on 1 April 2025, guidance (here) to assist Obliged Entities understand the evidence they must provide the JFSC's registry supervision team to demonstrate that their searches of the obliged entity beneficial ownership ("OEBO") register were for a legitimate purpose (noting that it is an offence for accessing parties to undertake searches of the OEBO register without a legitimate purpose or to fail provide supporting evidence, and the potential penalties include fines and imprisonment of up to 5 years).
26. The JFSC also announced:
(a) on 29 January 2025, a consultation (here) on enhancements to criminal background checks for principal and key persons, with a feedback paper due to be published in Q2 2025;
(b) on 31 January 2025, its thematic examination programme (here), setting out 3 key themes that will be examined by the supervision examinations unit (which include conflicts of interest, suspicious activity reports ("SARs"), and outsourcing arrangements) and sector-specific, narrower thematic assessment visits ("TAVs") focussing on banking (fraud controls and fees, charges and commissions), fund services business and TCSPs (transaction monitoring), investment business (fees, charges and commissions), accountants (customer risk assessments), prescribed NPOs (proportionate risk-based measures to mitigate risk of NPOs being misused for terrorist financing) and VASPs (travel rule); and
(c) on 6 March 2025, updated key areas of focus and timelines for the JFSC's second thematic examination for 2025 which relates to SARs (here).
Jersey Office of the Information Commissioner ("JOIC")
27. In March 2025, the JOIC issued public statements in respect of two investigations (including the details of each investigation, quantum of the fine and lessons learned). These statements were in relation to:
(a) an entity that shared information about a former employee with other members of staff and threatened to share the data with an unconnected third-party, with the Authority highlighting that "information must be limited to sharing it with those who need it" and "organisations must not threaten individuals with disclosure to try and settle disputes" (public statement here); and
(b) an entity that posted a client's personal information on social media in relation to a fee dispute, with the Authority highlighting that "information should only be used for the purposes for which it was given" and that "vindictive behaviour by data controllers … will be viewed as a significant aggravating factor" (public statement here).
28. In March 2025, the JOIC also published general learnings from a JOIC Virtual Protection Compliance Audit (here) that focussed on the health sector. Some of the key takeaways/best practices included:
(a) ensuring access to sensitive information is appropriately restricted to those that need it to mitigate confidentiality risks;
(b) providing data protection training to new employees prior to granting access to systems containing personal information and, thereafter, at regular intervals (ideally every 6-12 months); ensuring this training is specific and tailored to the role;
(c) ensuring organisational data protection policies and procedures effectively cover processing of personal data (noting, for example, that some policies included references to the GDPR and UK regulations rather than Jersey legislation); and
(d) ensuring policies are in place that deal with communication channels (in particular the use of social media platforms for both internal and external communications).
About our Channel Islands Regulatory and Risk Advisory team
Walkers' Channel Islands' Regulatory & Risk Advisory Team has a dedicated team of regulatory experts spanning all practice areas who regularly advise on all aspects of Guernsey and Jersey regulation and tax, including financial services, AML, sanctions, data protection, consumer protection, competition, tax (including Pillar Two), economic substance, FATCA and the CRS. Our team can also provide training to staff on a broad range of topics.
