IoM proposes new AML rules for July
Chris Hamblin, Editor, London, 14 February 2019
The Isle of Man Financial Services Authority is updating its anti-money-laundering rules to please MONEYVAL, the FATF-style regional body whose inspectors assessed its controls in April and May 2016. The jurisdiction's eventual mark was excellent but left a few matters outstanding.
The regulator is therefore consulting interested parties about rule-changes. Some suggestions come not from MONEYVAL but from its own staff. The closing date for comments is 27 March.
The Government wants to replace the Anti-Money Laundering and Countering the Financing of Terrorism Code 2015 (as amended 2018) with a new code, which it calls "the 2019 code." This has to be in force by July to suit MONEYVAL's timing. The Department of Home Affairs and the Treasury share responsibility for framing all legislation in this area; the IOMFSA is responsible for updates.
The Government wants to move some provisions in the Insurance (AML) Regulations into the code. It also wants to extend the range of sanctions in relation to non-compliance with the code by introducing civil penalties. At the moment, criminal sanctions are the only option. Below are some of the main proposals for change.
- Verification of customers. The Government wants the '2019 code' to widen an existing requirement regarding verification of a customer from "the verification of identity of the customer using reliable, independent source documents" to "the verification of the identity of the customer using reliable, independent source documents, data or information." This revised wording is in line with FATF standards (the FATF recommendations and methodology).
- Source of funds and source of wealth. The new code will contain a glossary that interprets these terms slightly differently than the old one. In summary, 'source of funds' is to mean the origin of the particular funds or other assets involved in a business relationship or occasional transaction and 'source of wealth' is to mean the origin of a customer’s entire body of wealth. Wherever the 2019 code requires a firm to ascertain 'source of funds' and 'source of wealth,' that firm ought to “take reasonable measures to establish” them. The idea is to make the firm take a risk based approach to the matter. The regulator is going to provide detailed guidelines in this area in its AML/CFT rulebook or 'handbook. '
- Registration on Themis. The regulator plans to requirement relevant persons (licence holders, the Isle of Man's equivalent of the UK's 'approved persons') to register various things on a reporting platform called Themis in relation to external disclosures. This is already a requirement in the Financial Intelligence Unit Act 2016.
- Technology risk assessment. The 2015 code requires every firm to undertake a risk assessment of any technological developments. The Government wants to widen this requirement to undertake and regularly review an assessment of any technology employed by a firm, including new or developing technologies.
- Introduced business. The Government wants to amend the law, forcing the relevant person or introducer (in certain cases) to meet the customer if two 'third parties' have been involved in the introductory process and the 'third party' who has met the customer is not a 'trusted person' (a term to be found in the 2019 code).
- Beneficial ownership and control. The Government proposes to amend the law in various places to require firms to do more regarding the identification and verification of beneficial owners and controllers of corporate customers.
- Acceptable applicants. There is a section on this subject in one of the isle's AML statutes which the Government wants to amend to make it more obvious that it only applies if and when a customer is acting on his own behalf (see below).
- Generic designated business. There is a section on this subject, which contains something that the regulator calls a 'concession,' in one of the isle's AML statutes as well. The Government wants to amend it to describe the circumstances in which it applies.
- Transfer of a block of business. The regulator is going to move its rules on this subject to a new, stand-alone paragraph in its rulebook.
- Section 24 Financial Intelligence Unit Act 2016. The regulator wants to refer to this in the code and to force every firm to keep a register of any disclosures that it makes in accordance with this section.
- Compliance reports to a firm's board. The regulator wants to require every firm to send a report to the board of directors (if applicable) at least once a year regarding AML/ATF matters and the testing of AML/ATF procedures.
- The monitoring and testing of compliance. The regulator wants to oblige every relevant person to have "a suitable person at management level to exercise the functions regarding monitoring and testing compliance with the provisions of the 2019 code."
- The training of staff. Every firm is to keep records of the times when it trains its staff. Its training with have to make staff aware of significant changes to AML/ATF legislation and internal AML/ATF policies and procedures.
- Responses to requests for "customer due diligence" or CDD. This ugly term emanated from the Basel Committee for Banking Supervision in 2001 and is an alternative term for KYC or "know your customer" controls. The FATF and the European Union picked it up shortly thereafter. The regulator writes on this subject: "requirements will be added regarding disclosure of information by trustees upon request by a competent authority, a Designated Non-Financial Business or Profession or certain regulated persons as defined by the 2019 code if certain conditions are met."
There are to be no changes to the famous "acting on behalf of" concession. The code requires every relevant person to determine whether a customer is acting on behalf of another person and, if he/it is, to verify that other person’s identity. This stipulation is also to be found in the regulator's rulebook. The firm must always keep a document about the result of its efforts to find out who the customer is, whether he is acting for another person, and what CDD is required. This rule need not apply, however, if the firm is a certain type of firm and the customer is a certain type of customer, i.e. an 'allowed business.' According to the rulebook as it was updated in November, only an IOMFSA Class 1 (deposit taking) licenceholder, an IOMFSA Class 2 (investment business) licenceholder, an IOMFSA Class 3 (services to collective investment schemes) licenceholder or an IOMFSA Class 8 (money transmission services) licenceholder can benefit from this exemption. By the same token, the concession may only be used if the customer is an 'allowed business,' defined as: a regulated person; a nominee company of a regulated person where the regulated person is responsible for the nominee company’s compliance with the AML rules; a collective investment scheme whose manager or administrator is a regulated person; a designated business; a person who acts in the course of an external regulated business, subject to various requirements; or a nominee company of such a person, as long as that person is responsible for the nominee company’s compliance with the equivalent AML/ATF rules.