The purpose of this Handbook is to:

(a) assist licenceholders in understanding their obligations and, in so doing, to enable the Island to maintain and further its high standards;

(b) summarise and explain the requirements of the primary and secondary AML/CFT legislation in the Isle of Man;

(c) outline the regulatory powers which the Commission may exercise and to set out the Commission's requirements of licenceholders;

(d) assist licenceholders to comply with the requirements of the Drug Trafficking Act 1996, the Criminal Justice Act 1990, Proceeds of Crime Act 2008, the Anti-Terrorism and Crime Act 2003, the Terrorism (Finance) Act 2009, the Code and relevant elements of the Rule Book, by specifying best practice;

(e) set the minimum criteria to be followed by all regulated licenceholders in the Isle of Man where there is knowledge, suspicion or reasonable grounds to suspect money laundering and/or terrorist financing;

(f) promote the use of a proportionate, risk-based approach to CDD measures;

(g) provide a defining minimum basis which individual licenceholders can utilise in order to tailor their own policies, procedures and controls for the prevention and detection of money laundering and terrorist financing;

(h) ensure compliance with international standards by the Isle of Man; and

(i) emphasise the particular money laundering and terrorist financing risks of some of the financial services and products offered by licenceholders in the Isle of Man;

This Handbook does not aim to prescribe an exhaustive list of recommended AML/CFT systems of control. A reasonable, proportionate and intelligent risk-based approach is required. Each licenceholder must consider its particular circumstances. This includes, additional measures that may be necessary to prevent its exploitation and that of its products and services by persons seeking to launder money or to finance terrorism.

The Commission recognises that licenceholders may have systems and procedures in place which, whilst not identical to those outlined in the Handbook, nevertheless impose controls and procedures which are at least equal to if not higher than those contained in the Handbook. This will be taken into account by the Commission when assessing the adequacy of a licenceholder's systems and controls. The Commission will review the Handbook and Rule Book regularly and, after consultation where appropriate, will amend them in the light of changing best practices, legislative changes and the development of international standards.

Paragraph 4(2) of the Code states that failure to comply with the Code is a criminal offence. On summary conviction, it carries a maximum custody period of six months or a fine not exceeding 5,000 or both. On conviction on information, it carries a maximum custody period of 2 years or a fine or both.

Paragraph 4(3) of the Code states that "In determining whether a person has complied with any of the requirements of sub-paragraph (1), a court may take account of . any relevant supervisory or regulatory guidance which applies to that person and which is given by a competent authority."

Section 2(2) of the Financial Services Act 2008 outlines the Commission's regulatory objectives which includes the reduction of financial crime. Section 18 of the Act provides for rules to be made to give full effect to its regulatory objectives and the functions of the Commission. The Commission has exercised this power by making the Financial Services Rule Book 2008 which has recently been replaced by the Financial Services Rule Book 2009. Schedule 3 of the Act outlines that the Rule Book may include provisions in respect of:

(a) the systems, procedures, record-keeping, controls and training which must be instituted and operated by a licenceholder in the course of its business;

(b) the retention of documents and records by licenceholders;

(c) the identification by a licenceholder of persons with, for or in respect of whom the licenceholder engages in any regulated activity;

(d) the identification of the nature and purpose of any business, transaction or arrangement undertaken by persons with, for or in respect of whom the licenceholder engages in any regulated activity;

(e) the circumstances in which a licenceholder must refuse to engage in any regulated activity with, for or in respect of any person;

With the coming into effect of the Financial Services Rule Book 2009, the majority of the AML/CFT provisions were removed as these duplicated the provisions of the Code. One AML/CFT provision concerning anonymous accounts remains within the Rule Book at Rule 6.6.

Section 43 of the Financial Services Act 2008 outlines that if a licence holder is in contravention of any statutory provision (other than one contained in or under that Act) the Commission may undertake an action for a breach including revocation or suspension of a licence, the issue of not fit and proper directions and the issue of warning notices, but with the exception of the powers to impose civil penalties under section 16 or apply for an injunction or restitution under section 16.

Where licenceholders contravene the Rule Book the Commission may undertake any action for a breach.

(a) conduct that is not in the best economic interests or which damages the reputation of the Isle of Man;

(b) lack of fitness and propriety; and/or

(c) a failure to comply with certain fundamental principles within the Rule Book and/or the Code.

This may therefore result in regulatory action at the discretion of the Commission and in extreme cases, it may result in revocation of a licence.

1.2.1 Fiduciaries which are part of groups subject to guidance issued by the Insurance and Pensions Authority ("IPA").

Where a fiduciary is part of a Group and the Group as a whole is subject to guidance on AML/CFT matters issued by the IPA, the fiduciary must comply with the AML/CFT provisions of the Code and 6.6 of the Commission's Rule Book. However, the fiduciary may follow guidance issued by the IPA in preference to the guidance issued by the Commission as long as it is in compliance with the Code and the Commission's Rule Book and can demonstrate this.

A licenceholder regulated in the Isle of Man may have overseas branches, subsidiaries or associates. In such a case, control can be exercised over business conducted outside of the Isle of Man. Alternatively, elements of the Isle of Man regulated business may have been outsourced to other jurisdictions (see Section 1.4).

Paragraph 14 of the Code ('Foreign branches and subsidiaries') requires an Isle of Man licenceholder to ensure that any branch or subsidiary in a country outside the Island takes measures consistent with the Code and guidance issued by the Commission in any branch or subsidiary outside the Island.

This is not intended to mean that the measures must precisely mirror those of the Isle of Man in every technical detail. It is intended that the measures should generally be of an equivalent or consistent standard to those in the Isle of Man.

In all such cases, a licenceholder should consider establishing a group AML/CFT strategy to protect its global reputation as well as its Isle of Man regulated business. Where the law of the jurisdiction in which the branch is situated or the subsidiary is carrying on business, imposes requirements and procedures that are lower than those set by the Code, the Rule Book and Handbook, the branch or subsidiary must apply the higher standard.

Nevertheless, reporting procedures and the offences to which the money laundering legislation in the host country relates must be adhered to in accordance with local laws and procedures.

Licenceholders must advise the Commission of any failure to apply the Isle of Man requirements in branches and subsidiaries, including where legislation in place in any host country prevents compliance that is at least in line with the Code and 6.6 of the Rule Book. Licenceholders who have informed the Commission of such a failure should follow any advice, recommendations or directions the Commission provides as to the action to take.

1.3.1 Group policies and standards

The Commission understands that many licenceholders which are part of a group (with the licenceholder either being the parent, or a subsidiary or branch within the group) have already adopted a group-wide AML/CFT policy. The Commission supports the adoption of such group-wide policies as prudent practice wherever they at least meet Isle of Man standards.

Suspicion of money laundering and terrorist financing must normally be reported within the jurisdiction where the suspicion arose and where the records of the related transactions are held. However, there may in certain cases, e.g. when the account is domiciled in the Isle of Man, also be a requirement for a report to be made to the Isle of Man Financial Crime Unit ("FCU").

Licenceholders must note that they cannot contract out of their statutory and regulatory requirements to prevent and detect money laundering and terrorist financing. In all outsourcing instances, the delegating entity retains the ultimate responsibility for the duties delegated and undertaken on its behalf. This includes the requirement to ensure that the provider of the outsourced services has in place adequate AML/CFT systems, controls and procedures.

If a licenceholder wishes to outsource functions and activities, it must:

(a) assess any possible AML/CFT risk associated with the proposed outsourced functions as part of its business risk assessment required by Paragraph 3 of the Code;

(b) maintain a record of the assessment; and,

(c) regularly review the assessment and where appropriate amend it to keep it up to date, as well as ensuring that the relevant adequate systems and procedures are in place.

Licenceholders must ensure that, despite outsourcing certain functions, they are meeting their legal and regulatory responsibilities in relation to these functions. Licenceholders' AML/CFT systems, controls and procedures should extend to assessing and monitoring the following features of outsourced service providers:

(a) quality and stability;

(b) management and control;

(c) systems and controls including increased awareness and training of appropriate staff; and

(d) ability to prevent and detect financial crime related to money laundering and terrorist financing.

Outsourcing of functions can lead to increased money laundering and terrorist financing risk where, for example, functions are outsourced to businesses located in jurisdictions with less stringent AML/CFT requirements than those in the Isle of Man. Therefore, licenceholders must identify the requirements for the prevention and detection of financial crime that are in place in all outsourcing jurisdictions. Licenceholders must ensure in all cases that outsourced service providers adhere to AML/CFT standards that are at least as stringent as in the Isle of Man.

The Code and this Handbook permit a number of concessions from identification procedures. These concessions are permitted where the applicant for business, or in some cases another financial services business which has already established a relationship with the applicant for business, is located in a jurisdiction where it is subject to AML/CFT requirements at least equivalent to those of the Code.

FATF Recommendation 9 allows each jurisdiction to evaluate and determine for itself which countries are deemed to have equivalent status with regards to implementation of the FATF Recommendations. The jurisdictions considered to have AML/CFT requirements at least equivalent to those of the Code are listed at Schedule 2 in the Code and are reproduced within Appendix C of the Handbook.

If any licenceholder has significant business dealings with a jurisdiction which is not on the list and considers the country's AML/CFT standards are such that it could be included, it can make a business case to that effect to the Commission, IPA or the Department of Home Affairs ("DHA"). A business case must include, amongst other things, reference to the jurisdiction's latest IMF Inspection Report or other international or national assessments or "audits" covering details of the regulatory system and AML/CFT legislation and supervision. It must also provide the estimated volume or value of business, etc. that the licenceholder expects to conduct with that jurisdiction.

The DHA, IPA and the Commission will consider the application and if approved the DHA will amend Schedule 2 of the Code accordingly.

The fact that a jurisdiction has comparable AML/CFT measures, and so may be considered equivalent, means only that the necessary legislation is in place in that jurisdiction. It does not provide assurance that a particular overseas financial services business is subject to that legislation; or that it has implemented the necessary measures to ensure compliance with that legislation.

Licenceholders must ensure that when seeking to apply either a concession of the Code or of this Handbook it is dealt with in accordance with the relevant Section of the Handbook (see Sections 4.11 and 4.12).

The Commission believes that AML/CFT arrangements must allow a business to adopt a risk-based approach to money laundering and terrorist financing prevention and detection. Provision for a risk based approach towards AML/CFT is made in the Code.

A risk based approach:

(a) recognises that the money laundering and terrorist financing threat to a licenceholder varies across customers, jurisdictions, products and delivery channels;

(b) allows a licenceholder to differentiate between customers in a way that matches risk in a particular business;

(c) allows a licenceholder to apply its own approach to procedures, systems and controls and arrangements in particular circumstances; and

(d) helps to produce a more cost effective system.

Systems and controls will not detect and prevent all money laundering or terrorist financing. A risk-based approach will, however, serve to balance the cost burden placed on individual licenceholders and on their customers with a realistic assessment of the threat of a business being used in connection with money laundering or terrorist financing. It focuses effort where it is needed and has most impact.

Licenceholders should avoid rigid internal systems of control as these can encourage the development of a 'tick box' mentality that can be counter-productive. Internal systems should require employees to properly consider the risks posed by individual customers and relationships and to react appropriately.

The development of a risk-based approach is covered in Section 2.4.