The New IOMFSA Supervision Framework: Summary

The Isle of Man Financial Services Authority recently released their new Supervisory Methodology Framework document, which “sets out the culmination of long-standing plans to embed a revised internal structure to support the implementation of an updated supervisory methodology framework.”

The release of the Framework was quickly followed by a Panel Discussion organised by the Alliance of Isle of Man Compliance Professionals (AICP).

This blog looks at a summary of the Framework followed by a review of the general questions and temperature of the audience at the panel discussion.

Let’s take a closer look at the new framework.

Background

The Supervisory Methodology Framework will help to focus the Authority’s resources on the “greatest threats to its objectives of protecting consumers, reducing financial crime, and maintaining confidence in the financial services sector” through effective regulation. 

For regulated firms, supervisory activity will be “more proportionate to the firm’s impact, as determined by its size, the type of activities it conducts, and its potential to cause disruption to the Island’s financial system. 

The AML/CFT supervision for all firms (regulated firms and designated businesses) will be aligned to the level of money laundering or terrorist financing risk to which a firm is exposed.

AML/CFT supervision

For AML/CFT, the Framework is designed so the firms and sectors that pose the highest level of money laundering or terrorist financing risk receive the most attention under the FSA’s engagement model.

For lower risk firms there will be a greater emphasis on thematic work and outreach.

A key part of the approach is to assess risk at firm and sector level through data automation.

Supervisory Structure

The Supervision Divisions are split into:

AML/CFT Supervision – oversee all regulated firms & designated businesses

HMI Supervision – enhanced supervision & supervision of high & medium impact firms (except banks & insurers)
Portfolio Supervision – Authorisations & supervision of low impact firms (except banks & insurers)
Prudential Supervision – Banking & Insurance

Risk-based Supervision

The Authority will undertake impact assessments on a cyclical basis – firms will be told their impact rating.  When a significant trigger event occurs, such as acquisitions and mergers, the Impact Rating Panel may re-convene to re-assess that firm’s impact rating mid cycle.

Firms should note the AML/CFT supervisory engagement model is separate and distinct from the supervisory impact led engagement model; rather than being driven by impact, engagement is driven by a firm’s financial crime risk rating.

Meetings

For AML/CFT supervision, the Authority may hold specific meetings with firms’ risk and compliance functions or MLROs.

The types of firm stakeholders the Authority may request to meet include:

Executives and/or Senior Management
Independent Non-Executive Directors and Other Non-Executive Directors
Risk and Compliance function(s)
Actuarial Functions (insurance only)
Chief Financial Officers/Finance function(s)
Internal Audit (where relevant)
External Auditors
MLROs

Triggers

When triggers arise, the Authority will evaluate the risk and may take proportionate supervisory action, noting that it is a firm’s responsibility to manage risk appropriately.

Triggers may include, but are not limited to:

Notifications made by firms;
Breaches reported, or identified;
Customer complaints;
Information gateways with other agencies and authorities;
Material external events;
Intelligence gathering; and
Whistleblowing.

The Authority has noted the risk categories they will use:

Conduct risk
Clients’ Assets risk
Financial Crime risk
Governance risk
Operational risk
Prudential risk
Strategic risk.

Industry Insights from the Recent AICP Panel Discussion About the New FSA Supervision Framework.

The AICP panel discussion was held on the 17^th May and was both interesting and informative.

In summary:

Most people feel that the approach makes sense, but there are concerns that it’s a big change this close to the MONEYVAL visit.
There is a concern that smaller entities will be forgotten entirely and treated as if they have no risk, which isn’t the case.
There’s a general feeling that organisations should have been told where they sit within the framework.
It is hoped that the IOMFSA will publish how they came to the conclusions they have for license holders and the risk they pose and therefore the level of oversight.
There is a concern that some entities will have too much oversight and as such it’s hoped that there will be the ability for license holders to challenge their level of oversight.
There was a heads up that the GSC will also be changing the way they supervise and their structure. This is likely to be more in-line with the FSA and they will be looking to take more enforcement action.
There was a general feeling that the IOMFSA should change their reports to be more in line with the GSC. Many attendees felt that the harsh, unhelpful approach currently being taken is scaring people away from industry.
It was questioned why, in most businesses, the MLRO or Compliance officer take sole responsibility for regulator communication, when they aren’t the only individuals in a business in a controlled function. It is felt Compliance should push back more and give more responsibility to others, to ease the mental load.
In trying to understand the current state of affairs at the IOMFSA, attendees were questioning if the loss of staff – and therefore the personal knowledge people had of specific license holders – is part of the problem? Leading to a less pragmatic approach from the remaining, less experienced staff at the Authority more recently.

The general feeling of many in the room, rightly or wrongly, was that the basic stance of the IOMFSA is ‘legislation has been in place for 20 years. If you don’t get it now/aren’t compliant, there’s a fine coming your way.’

In light of the continual change in regulatory landscape is this a fair stance for the Authority to take?

There was also the question that with increasing entities being fined for exactly the same issues, does this suggest there is something wrong with either:

the guidance
FSA’s interpretation
or is the entire industry simply getting it wrong?

In conclusion

Attendees were generally in favour of the Framework. But concerns exist around the Authority’s recent approach.

The mental load of compliance professionals is already huge. If license holders are to be potentially over-scrutinised then there is a concern that the inaccessibility to advice from the IOMFSA will further cripple the compliance sector.

There’s a lot going on at the moment. But you don’t need to face it on your own. An initial chat with us costs you nothing and will improve how you sleep at night.  Contact us today to be better prepared for tomorrow.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.