Safe Custody and Administering or Managing Money on Behalf of Another Person Sector Specific AML/CFT Guidance

Version 1 February 2025 Safe Custody / Administering or managing money on behalf of another person Sector Specific AML/CFT Guidance Notes February 2025 Whilst this publication has been prepared by the Financial Services Authority, it is not a legal document and should not be relied upon in respect of points of law. Reference for that purpose should be made to the appropriate statutory provisions. Contact: AML/CFT Division Financial Services Authority PO Box 58, Finch Hill House, Bucks Road, Douglas Isle of Man IM99 1DT Tel: 01624 646000 Fax: 01624 646001 Website: www.iomfsa.im Email: aml@iomfsa.im

Isle of Man Financial Services Authority Page 2 of 10 Version 1 February 2025 Contents

1. Foreword........................................................................................................................................3 2 Introduction ...................................................................................................................................4 3 National Risk Assessment...............................................................................................................4 4 Risk Guidance .................................................................................................................................4 4.1 General High-Risk Indicators......................................................................................................5 4.2 Red Flags....................................................................................................................................6 5 Safe Custody Facilities....................................................................................................................7 6 Administering or managing money on behalf of another person..................................................8 7 Customer Due Diligence.................................................................................................................9

Isle of Man Financial Services Authority Page 3 of 10 Version 1 February 2025

1. Foreword For the purposes of this sector specific guidance the term Safe Custody refers to a business conducting the activity included in paragraph 2(6)(q) of Schedule 4 to the Proceeds of Crime Act 2008 (“POCA”). The activity is defined below: subject to sub-paragraph (19), providing safe custody facilities for cash or liquid securities, deposit boxes or other secure storage facilities suitable for high value physical items or assets, jewellery, precious metals, stones, bullion or documents of title. Administering or managing money on behalf of another person refers to a business conducting the activity included in paragraph 2(6)(s) Schedule 4 to the POCA. The activity is defined below: Administering or managing money on behalf of another person. By virtue of being included in Schedule 4 to POCA, the business activity of providing Safe Custody facilities or Administering or managing money on behalf of another person are subject to the Anti-Money Laundering and Countering the Financing of Terrorism Code 2019 (“the Code”). These sectors are also subject to the designated business regime under the Designated Businesses (Registration and Oversight) Act 2015 which came into force in October 2015 (“DBROA”). A full list of the activities that fall within the designated business regime can be found in Schedule 1 to the DBROA. These business activities are subject to the registration requirements of the DBROA, and the Isle of Man Financial Services Authority (“the Authority”) has the power to oversee these sectors for Anti-Money Laundering and Countering the Financing of Terrorism (“AML/CFT”) purposes. Anyone offering ‘Safe Custody’ facilities or undertaking the ‘Administering or managing of money on behalf of another person’ must be registered with the Authority in advance of undertaking any business. Businesses carrying out such activity without being registered commit a criminal offence. Please see section 7 of the DBROA for further details.

Isle of Man Financial Services Authority Page 4 of 10 Version 1 February 2025 2 Introduction The purpose of this document is to provide some specific guidance for these sectors in relation to AML/CFT. This document should be read in conjunction both with Code and the main body of the AML/CFT Handbook (“the Handbook”). Though the guidance in the Handbook, and this sector specific guidance, is neither legislation nor constitutes legal advice, it is persuasive in respect of contraventions of AML/CFT legislation dealt with criminally, by way of civil penalty or in respect of the Authority’s considerations of a relevant person’s (as such a term is defined in paragraph 3 of the Code) regulatory / registered status and the fit and proper status of its owners and key staff where appropriate. 3 National Risk Assessment The Island’s National Risk Assessment (“NRA”) was published in 2015 and was updated in 2020. The primary purpose of the NRA is to identify, understand and evaluate the ML/FT risks face by the Island and to highlight areas where action is required. Due to there being a very limited number of relevant persons registered to provide Safe Custody facilities, and no relevant persons register under the activity of ‘Administering or managing money on behalf of another person’, neither of these sectors are specifically drawn out and risk assessed in the Island’s current NRA. Given these sectors are very small with limited activity, the ML/FT risk to the Island from a sectoral perspective is relatively low. At the time of publication of this document the NRA is currently undergoing a revision. Further to this, a standalone Safe Custody Risk Assessment will be produced, and this will feed into the overarching NRA. Relevant persons should ensure that this, along with any other sectoral or topical risk assessment that may be relevant to their business, are considered when reviewing their own policies and procedures, including their business risk assessment. 4 Risk Guidance The Code mandates that a number of risk assessments are completed – • a business risk assessment (paragraph 5) • a customer risk assessment (paragraph 6) • a technology risk assessment (paragraph 7) These risk assessments should be used to adopt a risk-based approach in assessing the risks relating to its business, its customers and any technology used. The facilitation of ML/FT is a serious problem that businesses should be aware of, and whilst utilising a risk-based approach

Isle of Man Financial Services Authority Page 5 of 10 Version 1 February 2025 cannot provide a full guarantee to a firm that it will be protected from being used to facilitate ML/FT it can assist businesses in understanding its risks and implementing AML/CFT measures to manage and mitigate these risks effectively. Vigilance should govern all aspects of the business’ dealings with its customers, including: • customer identification; • nature and purpose of the business relationship; • ongoing monitoring of the business relationship; • customer instructions; • transactions into and out of customer accounts, or one-off transactions as applicable; • technology / security issues if there is an online element to the business relationship. 4.1 General High-Risk Indicators As with the basic elements of a risk assessment, discussed in chapter 2 of the AML/CFT Handbook (“the Handbook”), the following activities may increase the risk of the relationship. Just because an activity / scenario is listed below it does not automatically make the relationship high risk; the customer’s rationale / nature / purpose of the business relationship etc. should be considered in all cases. If a business is unable to obtain a satisfactory explanation from a customer in the event of the following situations, features, or activities, or any other features which cause it concerns, it should be determined whether this is suspicious or unusual activity. Please refer to chapter 5 of the Handbook for further detail of the Island’s suspicious activity reporting regime. As stated in paragraph 13 (Ongoing monitoring) of the Code: 13 Ongoing monitoring (2) Where a relevant person identifies any unusual activity in the course of a business relationship or occasional transaction the relevant person must – (a) perform appropriate scrutiny of the activity; (b) conduct EDD in accordance with paragraph 15; and (c) consider whether to make an internal disclosure. (3) Where a relevant person identifies any suspicious activity in the course of a business relationship or occasional transaction the relevant person must – (a) conduct EDD in accordance with paragraph 15 of the Code, unless the relevant person believes conducting EDD will tip off the customer; and (b) make an internal disclosure.

Isle of Man Financial Services Authority Page 6 of 10 Version 1 February 2025 This list of higher risk indicators is by no means exhaustive, and relevant persons should be vigilant for any transactions where suspicion may be aroused and take appropriate measures. Also please see the list of red flags included at 3.2. • Where a customer is reluctant to provide normal information or provides only minimal information. • Where a customer’s documentation cannot be readily verified. • The customer is reluctant to provide the business with complete information about the nature and purpose of the relationship. • The customer is located in a higher risk jurisdiction. • Transactions involving numerous jurisdictions. • The customer is reluctant to meet personnel from the firm in person and / or uses a “front person”. • The customer is unwilling to provide a rationale as to the source of any new funds. • The customer has no discernible reason for using the businesses’ services, or the businesses’ location. • The customer’s address is associated with multiple accounts that do not appear to be related. • The customer is known to be experiencing extreme financial difficulties. • The nature of activity does not seem in line with the customer’s usual pattern of activity. • The customer enquiries about how to terminate a business relationship without explaining their reasons fully. • The customer exhibits unusual concern with the businesses’ compliance with Government reporting requirements and/or AML/CFT policies and procedures. 4.2 Red Flags In addition to the above higher risk indicators, there are some factors that are likely to be “red flags” in relation to that particular relationship or occasional transaction and would therefore usually be suspicious activity. If a relevant person identifies suspicious activity appropriate steps as explained in section 3 of this document, and the Code, must be taken. This list of red flags is by no means exhaustive and is as follows: • where it is identified a customer provides false or misleading information; • where it is identified a customer provides suspicious identification documents; • the customer does not provide the business with relevant / accurate information about the nature and intended or ongoing purpose of the relationship, including anticipated account activity; • the customer is secretive / evasive when asked to provide more information; • when requested, the customer refuses to identify a legitimate source of funds or source of wealth; • the customer only wishes to pay in cash; • the customer refuses to provide details on beneficial owners of an account or provides information which is false, misleading or substantially incorrect;

Isle of Man Financial Services Authority Page 7 of 10 Version 1 February 2025 • the customer enquiries about how quickly they can end a business relationship where it is not expected; • where the business relationship is ended unexpectedly by the customer and the customer accepts any unusually high fees to terminate the relationship without question; • the customer appears to be acting on behalf of someone else and does not provide satisfactory information regarding whom they are acting for; • the customer is known to have criminal / civil / regulatory proceedings against them for crime, corruption, misuse of public funds or is known to associate with such persons; and • the customer is interested in paying higher charges to keep their identity secret. 5 Safe Custody Facilities This refers to the activity of providing Safe Custody facilities for cash or liquid securities, deposit boxes or other secure storage facilities suitable for high value physical items or assets such as jewellery, precious metals, precious stones, bullion or documents of title. This is intended to capture those businesses that are providing Safe Custody facilities ‘by way of business’. Businesses that are providing Safe Custody and storage facilities for cash or other valuable assets, and are doing this ‘by way of business’, are required to registered under the DBROA. Paragraph 4(6) to the DBROA excludes certain activities which are not captured for the purpose of this activity: • the storage of goods such as luggage, household items or motor vehicles; • the storage of non-physical property such as computer data; • the secure transportation of high value items; • the offering of safe custody on an occasional or very limited basis, such as hotels providing a safe for use by guests; or • legal professionals storing legal documents other than documents of title. It is expected that any relevant persons offering these services ‘by way of business’ should have appropriate procedures designed to mitigate the relevant associated risks, and businesses should also ensure they have policies and procedures related to record-keeping and staff training in line with the provisions of the Code. If you believe you may be undertaking this activity and are not already registered or licensed to provide such services, then please get in touch with the Authority and we can arrange a meeting to discuss this further.

Isle of Man Financial Services Authority Page 8 of 10 Version 1 February 2025 6 Administering or managing money on behalf of another person This refers to the activity of ‘Administering or managing money on behalf of another person’. This activity was brought into the designated business regime to ensure there was alignment and consistency across our AML/CFT framework, and to further ensure that all activities which are subject to the requirements of the Code, have a designated oversight body for AML/CFT purposes. Administering or managing money on behalf of another person is quite a broad activity definition and could encompass the provision of services already undertaken by licensed or registered persons. There are a number of regulated and registered business activities already overseen by the Authority that may undertake some form of ‘Administering or managing money on behalf of another person’ as part of their standard operating functions and services. This new activity is not intended to supersede any current licensing or registration provisions a relevant person may have, but has instead been brought into the DBROA to capture anyone who may be offering this type of services ‘by way of business’ and who is not already licensed or registered under an existing activity. The type of services that may be captured under this activity are: • Escrow type services when being provided ‘by way of business’ by persons not already registered or licensed to provide these services in a professional capacity; • Power of Attorney (“POA”) services when being provided ‘by way of business’ by persons not already registered or licensed to provide these services in a professional capacity. This would include the provision of services for a Lasting Power of Attorney (“LPA”), Enduring Power of Attorney (“EPA”) and Ordinary Power of Attorney ("OPA”); or • The provision of Treasurer services when being provided ‘by way of business’ by persons not already registered or licensed to provide these services in a professional capacity. This is not intended to capture persons acting as Treasurer for a charity, unless that person is undertaking these services in a professional capacity and is doing so ‘by way of business’. Anyone licensed under the FSA08 or registered under the DBROA who, in the normal course of their business, undertakes this type of activity, would not be expected to amend their registration or licensing details. This activity is not intended to capture instances where money is being administered or managed on behalf of a relative, parent or friend, where this service is not being provided ‘by way of business’.

Isle of Man Financial Services Authority Page 9 of 10 Version 1 February 2025 For example, a person who is acting as POA for a parent or relative, and in fulfilling these functions, they administer or manager funds on behalf of that parent or relative under the terms of the POA, would not be captured under the Act. To reiterate, the provisions of this activity are only subject to the Code, and the registration requirements of the DBROA, if the services are being provided ‘by way of business’. It is expected that any relevant persons offering these services ‘by way of business’ should have appropriate procedures designed to mitigate the relevant associated risks, and businesses should also ensure they have policies and procedures related to record-keeping and staff training in line with the provision of the Code. If you believe you may be undertaking this activity and are not already registered or licensed to provide such services, then please get in touch with the Authority and we can arrange a meeting to discuss this further. 7 Customer Due Diligence Part 4 of the Code requires relevant persons to undertake customer due diligence and ongoing monitoring in relation to all business relationships. Chapter 3 of the Handbook provides guidance on how to identify and verify the identity of the customer in relation to both a natural and legal person. Also, guidance on the timing of identification and verification of identity is provided. For details of particular concessions which may be relevant please see section 6 of this guidance and chapter 4 of the Handbook. In all cases where the requirements of Part 4 of the Code cannot be met (Paragraphs 8(5), 9(9), 10(5), 12(11), 14(6), 15(8) and 19(11)) the procedures and controls must provide that – (a) the business relationship must proceed no further; (b) the relevant person must consider terminating1 the business relationship; and (c) the relevant person must consider making an internal disclosure. 1 In relation to a new business relationship (paragraph 8) the business relationship must be terminated.

Isle of Man Financial Services Authority Page 10 of 10 Version 1 February 2025