Phase one of the Isle of Man Financial Services Authority’s Thematic Review was the issuing of a Business Risk Assessment (BRA) questionnaire to a selection of regulated Trust & Corporate Services Providers for completion.
The Authority published a report in July 2023 which outlines the results from this first phase, as well as the Authority’s observations on the data and some subsequently identified best practice points.
Phase two of the Thematic Review is currently underway, with the Authority conducting desk-based inspections.
Below is a summary of the first phase.
- A BRA should clearly set out the risks a business faces in relation to customers and their activities and explains the basis of the assessment. Highlight how much, and what level of risk the business is prepared to take. Additionally, what risk the firm is not prepared to take.
- There should be a documented Risk Appetite Statement or associated Policy.
- There should be a documented Anti-Money Laundering / Countering the Financing of Terrorism Policy in place.
- The BRA should by informed by other risk assessments required by the Anti-Money Laundering and Countering the Financing of Terrorism Code 2019 (the Code) as well as the Isle of Man National Risk Assessment.
- Detail the composition of the customer base and where the risks are. For example, how many high & standard risk clients, Politically Exposed Persons split by domestic & foreign and high & standard risk ratings.
- Incorporate the link to Customer Risk Assessments as a key source of information.
- There should be evidence of a BRA’s review and approval, for example extracts of Board minutes.
- The BRA should be communicated to the entire business.
- The BRA should have clearly documented reviews and approvals, using a version control.
- There should be a process in place to ensure the timely supply of information or documentation requested by the Authority.
- There should be a documented Risk Assessment Methodology / Risk Scoring Matrix in place:
Assessment of the inherent risks relevant to the business
Identify mitigating factors and controls to manage the impact of the risks
Assessment of the risk impact
Assessment of the effectiveness of the controls in place
Assessment of whether the residual risk is within the documented risk appetite
Assessment of likelihood / probability of the risksAssessment of the cumulative risks. - Consider the use of different information sources for a BRA.
- If the business is part of a Group, the BRA should consider the specific risks relevant to the Isle of Man licenceholder.
- The Code, paragraph 5(3) should be clearly documented in the BRA:
5 Business risk assessment
3) The business risk assessment must have regard to all relevant risk factors, including —
(a) the nature, scale and complexity of the relevant person’s activities;
(b) any relevant findings of the most recent National Risk Assessment relating to the Island;
(c) the products and services provided by the relevant person;
(d) the manner in which the products and services are provided, including whether the relevant person meets its customers;
(e) the involvement of any third parties for elements of the customer due diligence process, including where reliance is placed on a third party;
(f) customer risk assessments carried out under paragraph 6; and
(g) any technology risk assessment carried out under paragraph 7.
- Any areas for development highlighted in the BRA should be reported to the Board / senior management.
- Identify whether there any barriers in place to prevent the operation of effective systems & controls.
- Record keeping requirements – keep previous versions for a minimum of 5 years.
- Document whether the BRA would be reviewed and updated at a trigger event.
We’re currently supporting our clients in respect of IOMFSA findings and feedback on their Business Risk Assessments.
If you’re looking for guidance, support or reassurance around your Business Risk Assessment please do contact us today through [email protected], on 01624 820601, or to save time, book directly into our calendar here.
