REGULATORY GUIDANCE Fitness and Propriety 11 December 2025

Isle of Man Financial Services Authority Page 2 of 38 Contents Glossary.................................................................................................................................... 4

1. Introduction.................................................................................................................... 6
2. Why is the fitness and propriety of individuals considered? ......................................... 6
3. What are the implications of an individual not being fit and proper?........................... 6
4. What are the core components of fitness and propriety?............................................. 7
5. Who do the fitness and propriety standards apply to? ................................................. 7
6. Who considers the fitness and propriety of an individual? ........................................... 8 a) Regulated entity................................................................................................................... 8 b) The Authority....................................................................................................................... 8
7. How does an individual have his fitness and propriety assessed? ................................ 8 a) Notified only – Controlled Function .................................................................................... 8 b) Notified and accepted – Controlled Function ..................................................................... 9
8. How should a regulated entity conduct its due diligence in relation to the fitness and propriety of an individual?..................................................................................................... 10 a) Existing regulated entity .................................................................................................... 10 b) New applicant to become a regulated entity.................................................................... 10 c) Criminal record checks....................................................................................................... 11
9. How long do the fitness and propriety standards apply to an individual for? ............ 12
10. What if an individual ceases to hold a Controlled Function?....................................... 13
11. What about outsourced services?................................................................................ 13 a) In general ........................................................................................................................... 13 b) MLRO/DMLRO ................................................................................................................... 13
12. What about section 29 of the IA2008? ........................................................................ 14
13. What if an individual is being appointed to more than one Controlled Function for a regulated entity? Which forms should I use?........................................................................ 14
14. What if a director is retiring and seeking re-appointment, as a corporate governance matter, are forms required? .................................................................................................. 14 Appendix 1 – The components of fitness and propriety ....................................................... 15 A. Integrity ........................................................................................................................ 15 B. Financial standing......................................................................................................... 16 C. Competence and capacity ............................................................................................ 17 D. Learning the role – staff development......................................................................... 18 Appendix 2 – The Controlled Functions................................................................................. 19 Appendix 3 – Controllers ....................................................................................................... 25

Isle of Man Financial Services Authority Page 3 of 38 Appendix 4 – Optional occasional fitness and propriety declaration by an individual in a Controlled Function (other than R1 or R3) to its regulated entity ........................................ 28 Appendix 5 – Due diligence ................................................................................................... 29 Appendix 6 – Relevant forms................................................................................................. 31 Appendix 7 – R18 Senior Manager with Significant Influence – Decision Tree..................... 32 Appendix 8 – Section 29 of the IA2008.................................................................................. 33 Appendix 9 – Insurance – Group Supervision........................................................................ 35 Appendix 10 – Independence ................................................................................................ 36

Isle of Man Financial Services Authority Page 4 of 38 Glossary Term Meaning in this document AML/CFT Code The current Anti-Money Laundering and Countering the Financing of Terrorism Code Authority Isle of Man Financial Services Authority CISA2008 Collective Investment Schemes Act 2008 Connected person Persons required to be notified to the Authority under section 29 of the IA2008 Controlled Function Any of the functions set out at Appendix 2 of this document DBROA15 Designated Businesses (Registration & Oversight) Act 2015 Designated insurer See Appendix 9 DMLRO Deputy money laundering reporting officer FSA2008 Financial Services Act 2008 Governing body In relation to any regulated entity, or controller of such, the body responsible for the direction and management of the business (for example a company’s governing body will be its board of directors and a trust’s governing body will be its trustees) IA2008 Insurance Act 2008 Intermediate controller Any controller (as defined in the regulatory legislation) which is not a controller of the regulated entity, its immediate parent, or an ultimate beneficial owner ISPV Insurance Special Purpose Vehicle MLRO Money laundering reporting officer Notified and accepted Controlled Function Any of the functions set out at in the table at Appendix 2 of this document as notified and accepted Notified only Controlled Function Any of the functions set out at in the table at Appendix 2 of this document as notified only RBSA2000 Retirement Benefits Schemes Act 2000 Regulated entity This term is used to mean any of the following: • a licenceholder under the FSA2008; • persons authorised or registered under the IA2008; • permit holders, other than EU permit holders, under the IA2008; • persons registered under the RBSA2000; • corporate trustees of authorised retirement benefits schemes;

Isle of Man Financial Services Authority Page 5 of 38 • the governing bodies of certain collective investment schemes in connection with Controlled Function R5 only; • designated insurers where the Controlled Function is R30 - Group Actuary (see Appendix 9); or • applicants to become regulated entities where the context requires.

Isle of Man Financial Services Authority Page 6 of 38 Fitness and Propriety

1. Introduction This guidance document is issued by the Authority in order to set out the criteria that it will normally apply in considering ‘fitness and propriety’, when used in the context of individuals who hold, or wish to hold, Controlled Functions within regulated entities. For this purpose regulated entity has the extended meaning given in the Glossary, but it does not apply to designated businesses registered under the DBROA15. Designated businesses should refer instead to the Designated Businesses Registration Policy available on the Authority’s website. This guidance also provides information on the Authority’s expectations and the processes involved, for both the regulated entity and the Authority, in ascertaining whether an individual is, and remains, fit and proper. The Authority issues guidance for various purposes, including to illustrate best practice, to assist relevant persons in complying with legislation and to provide examples or illustration. This guidance has been issued under sections 6 and 12 of the FSA2008, section 34 of the IA2008 and section 42 of the RBSA2000. This guidance is not law, however it is persuasive. Where a person follows guidance this would tend to indicate compliance with associated legislative provisions, and vice versa. For the avoidance of doubt, this guidance does not constitute binding guidance under the IA2008. Original legislation should always be consulted for legal purposes. If you are unsure about your legal obligations you should seek legal advice.
2. Why is the fitness and propriety of individuals considered? Regulatory legislation worldwide requires certain persons to be fit and proper. In the case of regulated entities in the Isle of Man the specific legislative requirements are contained in the FSA2008, IA2008, Insurance (Group Supervision) Regulations 2019, RBSA2000, and CISA2008. Fitness and propriety is a mainstay of regulatory legislation because it is vital to have these standards￾a) for the protection of the customers of regulated entities; b) to ensure that regulated entities are not controlled or managed by persons engaged in financial or other crime, and c) to protect the reputation of the Isle of Man.
3. What are the implications of an individual not being fit and proper? The implications of an individual not being fit and proper may include: • where the acceptance of the Authority is being sought to permit a regulated entity to appoint a person to a ‘notified and accepted Controlled Function’ – the Authority objecting to the individual’s appointment;

Isle of Man Financial Services Authority Page 7 of 38 • where an individual is performing a Controlled Function – an investigation being conducted in relation to that individual’s fitness and propriety, which could result in consideration of whether they may continue to perform the Controlled Function; • that individual being the subject of a prohibition, for example, under s10A FSA2008; and • an effect on the fitness and propriety assessment of the regulated entity itself. Additionally, a regulated entity may not permit a person to perform a Controlled Function if they are not fit and proper to do so. 4. What are the core components of fitness and propriety? The concept of fitness and propriety appears in a number of pieces of regulatory legislation, and the overarching interpretation of the term includes the consideration of an individual’s integrity, financial standing and their competence and capacity. Appendix 1 provides further details about each of these components. 5. Who do the fitness and propriety standards apply to? The requirement to be fit and proper applies to the nature of the ‘role’ for which an individual is proposed within a regulated entity, rather than the job title. Generally, the types of roles are key person / senior managerial roles (known as Controlled Functions) and are – a) those where an individual has significant influence or control over the regulatory matters of a regulated entity, and / or b) roles that have a bearing on the regulatory objectives of the Authority, and its ability to meet them. Examples of Controlled Functions falling within a) above include a director of a regulated entity, or a principal control officer of an insurer. Examples of Controlled Functions falling within b) above are the MLRO and the DMLRO, because their competence and integrity can affect whether the Authority is able to “reduce financial crime” which is one of its regulatory objectives1 . Functions that are defined as Controlled Functions, and therefore which are subject to fitness and propriety assessments by the regulated entity and, where indicated, the Authority, are set out in Appendix 2. In respect of fitness and propriety assessments for controllers, the requirements in certain circumstances are different, and these are set out in Appendix 3. 1 Financial Services Act 2008 – section 2(2)(b)

Isle of Man Financial Services Authority Page 8 of 38 6. Who considers the fitness and propriety of an individual? a) Regulated entity A regulated entity (including an applicant to become regulated) is expected to have conducted and completed its own due diligence before proposing an individual for appointment to a Controlled Function. The regulated entity is expected to be fully satisfied with the individual’s fitness and propriety prior to notifying the Authority of its intention to appoint that person. In making its notification, the regulated entity must provide certain information and declarations to the Authority dependent upon the particular Controlled Function. The information required will be set out within the relevant form (see Appendix 6), i.e. Individual Questionnaire (F&P 1), Notification Only Form (F&P 2), Controller Questionnaire (F&P 3), as appropriate); and the regulated entity will need to ensure its internal controls and processes are suitable to do this. Where a regulated entity becomes aware that there may be a concern regarding the fitness and propriety of an individual that already holds a Controlled Function, the Authority expects the entity to investigate such concern and take action as appropriate without delay. The regulated entity itself is statutorily required to be fit and proper, and therefore it is expected to notify the Authority promptly if any circumstances change, or events arise, that could affect the assessment of itself or an individual in a Controlled Function. As part of the Authority’s supervision, it may assess a regulated entity’s analysis of the fitness and propriety of individuals in Controlled Functions, its records of the due diligence undertaken and its process for appointment. b) The Authority As well as the regulated entity, the Authority also considers an individual’s fitness and propriety. In doing so it relies on the due diligence of the regulated entity in relation to all Controlled Functions. Additionally, for those that are notified and accepted Controlled Functions (or in other cases should this be considered necessary) the Authority will also undertake due diligence of its own, such as communication with other regulators. 7. How does an individual have his fitness and propriety assessed? a) Notified only – Controlled Function If a Controlled Function is subject to notification only, then advance notice to the Authority of the appointment is not required. The regulated entity must nevertheless have fully conducted and completed its own due diligence (see Appendix 5) and be satisfied that the candidate is fit and proper before they are able to take up the role. Then, using Form F&P 2

• Notification Only Form, the regulated entity must notify the Authority, within 10 business days following the date of appointment, of – • the individual’s appointment, and which type of Controlled Function(s) it isin relation to; • the individual’s name, address and date of birth, and • the date of appointment.

Isle of Man Financial Services Authority Page 9 of 38 The F&P 2 includes a declaration by the regulated entity2 that it has satisfied itself on reasonable grounds that the individual is fit and proper, including that the individual meets minimum competence requirements (if these apply – see the Training and Competence Framework). This declaration must be signed on behalf of the regulated entity by an individual in a notified and accepted Controlled Function (preferably a R4 – Director or R13 – Head of Compliance, or R28 for branches), and who has been duly authorised by the regulated entity to do so. The form also includes a declaration from the individual appointed to the Controlled Function that they comply with the fit and proper standards. Questions in the F&P 2 must be answered in full. Comments such as “see your records” are not acceptable answers. b) Notified and accepted – Controlled Function Before a regulated entity may appoint individuals to notified and accepted controlled functions the regulated entity must have fully conducted and completed its own due diligence (Appendix 5) and have positively assessed the candidate to be fit and proper. Where the Authority is the Group Supervisor of an insurance group, it is the responsibility of the designated insurer to ensure that due diligence has been conducted by the group. This applies to only one Controlled Function – R30 – Group Actuary. The regulated entity must then submit an F&P 1 Individual Questionnaire to the Authority, which must be completed jointly by the individual and the regulated entity. The F&P 1 should be provided to the Authority at least 20 business days in advance of the intended appointment. The Authority aims to respond within 20 business days, but if an individual takes up a notified and accepted Controlled Function without the Authority’s prior acceptance of the regulated entity’s intention to appoint that individual, it is important to note that this will not prevent the Authority subsequently objecting to the appointment should that be necessary. Consequently, a regulated entity may wish to consider avoiding appointing an individual to a notified and accepted Controlled Function unless the regulated entity receives the written acceptance of the Authority to the appointment to that Controlled Function. When a regulated entity informs an individual of an offer of a role which is a notified and accepted Controlled Function, it should make it clear that the offer is subject to the written acceptance of the Authority. The F&P 1 contains a declaration by the regulated entity that it has satisfied itself on reasonable grounds that the individual is fit and proper, including that the individual meets minimum competence requirements (where these apply - see the Training and Competence Framework), and provide a rationale for the conclusions reached. This declaration must be signed on behalf of the regulated entity by an individual in a notified and accepted Controlled 2 For entities under the RBSA2000, where an individual trustee is being appointed, the Empowered Person must sign the declaration (see the form for definition); where a director is appointed to a corporate trustee of a retirement benefits scheme then the corporate trustee must sign, and where a director is appointed to a corporate administrator the administrator must sign.

Isle of Man Financial Services Authority Page 10 of 38 Function (preferably a R4 – Director or R13 – Head of Compliance or R28 for branches), and who has been duly authorised by the regulated entity to do so. It also includes a declaration by the individual confirming that they consider themselves to meet the fitness and propriety standards. Questions in the F&P 1 must be answered in full. Comments such as “see your records” are not acceptable answers. The assessment of fitness and propriety is case specific – it relates to the individual proposed by the regulated entity, but consideration will also take into account the particular Controlled Function and the regulated entity in question. Any acceptance is specific to the individual, the particular Controlled Function and in the context of the regulated entity itself. This is because an individual may be considered to have sufficient competence in the case of regulated entity ABC Ltd (bearing in mind the nature of its business, its compliance history, client type, and the other individuals holding Controlled Functions) but to have insufficient competence for the same (or different) Controlled Function with regulated entity XYZ Ltd. Likewise, in the case of an insurance group, an individual may be considered competent to perform the Controlled Function of R30 - Group Actuary in a group where all its insurers carry on the same type of business, but not in a group where this varies across the group. 8. How should a regulated entity conduct its due diligence in relation to the fitness and propriety of an individual? A regulated entity is required to perform due diligence in determining the fitness and propriety of an individual for all Controlled Functions. This should include verification of the information the regulated entity obtains from such an individual. The nature of the expected due diligence is set out in the table at Appendix 5, which also shows the nature of the due diligence that will be undertaken by the Authority in cases of notified and accepted Controlled Functions. For criminal records please see c) below. a) Existing regulated entity In the case of new individuals in Controlled Functions within existing regulated entities, the Authority does not require to be provided with the due diligence (such as employers’ references / qualification checks etc.) in almost all circumstances. The declarations within the relevant forms (see Appendix 6) from the regulated entity that the due diligence has been performed will suffice. Please note, however, that the Authority may ask for evidence of the due diligence at any time, and if it does so this may be remotely or during a supervisory visit. b) New applicant to become a regulated entity Unlike the case of an existing regulated entity, where a new application is being considered for an entity to become a regulated entity, the Authority will typically require the applicant entity to provide: • evidence of the substance of those being proposed by it in notified and accepted Controlled Functions (including details of their full career history and experience);

Isle of Man Financial Services Authority Page 11 of 38 • copies of the due diligence it has undertaken to evidence the fitness and propriety of those individuals; and • certified copies of identification and verification documentation. c) Criminal record checks Individuals proposed for notified and accepted Controlled Functions should be subject to a criminal record check. This check should be undertaken before the relevant form is submitted to the Authority. For both existing regulated entities and applicants to become a regulated entity, the individual must complete the relevant section of the Individual Questionnaire (F&P 1) confirming when such a check has been undertaken. Please note: a copy of the checking body’s certificate MUST be supplied to the Authority for review, which will subsequently be destroyed. In the case of Controlled Function R1 (if the proposed controller is an individual) the individual must complete the relevant section of the Controller Questionnaire (F&P 3) confirming when such a check has been undertaken. Please note: a copy of the checking body’s certificate MUST be supplied to the Authority for review, which will be subsequently destroyed. In order for a regulated entity, or an applicant to become a regulated entity, to satisfy itself as to the integrity of an individual, it should review a certificate that evidences that a Basic level criminal record check has been carried out on that individual. The Authority expects the check to have been carried out within 12 months of the date of the relevant form. If the check is less recent, or one has not been conducted, the regulated entity / applicant to become a regulated entity must provide clear and compelling reasons for this. This rationale will form part of the Authority’s consideration of the individual’s fitness and propriety, and the Authority may determine the rationale insufficient and require a criminal record check to be undertaken. A criminal record check certificate may be obtained by one of the following three methods:

1. the individual may request a Basic check themselves though the Disclosure and Barring Service, Disclosure Scotland or AccessNI. The certificate will be provided directly to the individual which should be made available to the regulated entity (or an applicant to become a regulated entity);
2. if the individual has had a Basic, Standard or Enhanced check undertaken by another party within the last 12 months and the individual is happy to share this with the employer; or
3. if the individual is or has been resident outside the UK, please see the guidance at: https://www.gov.uk/government/publications/criminal-records-checks-for￾overseas-applicants which will provide details of how to obtain a criminal record check from other jurisdictions. If obtaining such a check is not possible in a particular jurisdiction, it remains the responsibility of the regulated entity to satisfy itself as to

Isle of Man Financial Services Authority Page 12 of 38 the integrity of individuals it is proposing, and supporting its ability to sign the ‘Declaration by Regulated Entity’. In such instances, provided the regulated entity can satisfactorily annotate the steps it has taken to assess the integrity of the individual being proposed, the Authority will take these in to account when reviewing an application. Some examples of alternative methods that could be used to determine if an individual has a criminal record could include: engagement of investigatory bureau in the jurisdiction of residence of the proposed individual, or undertaking a World Check or C6 status check. Please note that the results from a Data Subject Access Request (or similar) made to the Isle of Man Constabulary, is not a substitute for undertaking a criminal record check. Applying for and being in receipt of the results of the criminal record check is insufficient on its own - the regulated entity, or applicant to become a regulated entity, must consider whether the details provided on the certificate issued by the checking body are consistent with the details stated by the individual within the relevant form; as well as considering whether the details on the certificate impact on its ability to confirm to the Authority (within the form’s declaration) that it is satisfied the individual is fit and proper for the role in which they are proposed. For spent convictions which are not ‘protected’, please select ‘no’ on the relevant F&P form and send full details, separate to the F&P form, in writing and marked for the attention of the Senior Manager, to Authorisations@iomfsa.im. All correspondence will be dealt with in the strictest confidence and the Authority will acknowledge receipt directly to the individual in question. Details must be supplied even if they have been supplied to the Authority in previous applications. For spent convictions which are ‘protected’ please simply select ‘no’ on the F&P form and no further action is necessary. 9. How long do the fitness and propriety standards apply to an individual for? All individuals proposed for, or holding, Controlled Functions must be fit and proper. The requirement is not only for an individual to be fit and proper when initially assessed, it remains as a continuing requirement. An individual must remain fit and proper at all times when undertaking a Controlled Function. Individuals who have been accepted as fit and proper will not be routinely reassessed by the Authority, but whether they are in notified only Controlled Functions, or notified and accepted Controlled Functions, if a regulated entity choses to do so it may seek to have occasional declarations made to it that individuals continue to meet the fitness and propriety standards (example set out in Appendix 4). Regardless, a regulated entity should require individuals in Controlled Functions to notify the regulated entity of any material changes to the information originally provided when entering the Controlled Function in case that affects the regulated entity’s view as to their current status of fitness and propriety. If a regulated entity becomes aware of any significant matters that may affect an assessment of the fitness and propriety of any of its individuals

Isle of Man Financial Services Authority Page 13 of 38 in Controlled Functions, it is the regulated entity’s responsibility to investigate such concerns, take action as appropriate without delay and to notify the Authority promptly. 10. What if an individual ceases to hold a Controlled Function? If an individual ceases to hold a Controlled Function the regulated entity should inform the Authority using F&P 5 - the Individual Controlled Function Cessation Form. For regulated entities other than Retirement Benefits Scheme Trustees or Administrators, this form should be completed and submitted within 10 business days of the giving of notice or other event giving rise to the cessation. Where the cessation is in relation to certain Controlled Functions3 within a Retirement Benefits Scheme Trustee or Administrator, the form should be completed and submitted with at least 20 business days’ notice of the cessation being provided. 11. What about outsourced services? a) In general We understand that on occasion certain services may be delegated /outsourced to a third party that directly relate to, for example: • the discharging of the responsibilities of the Head of Compliance; • the work of internal audit. In such cases, the assessment form should be in respect of the regulated entity’s own personnel (director or staff member) with responsibility for the role (e.g. Head of Compliance) or outsourced activity (e.g. internal audit), and not the person / third party to whom it has been outsourced. b) MLRO/DMLRO Under the AML/CFT Code a regulated entity must appoint an individual to be the MLRO, and this individual must be sufficiently senior in the organisation of the regulated entity or have sufficient experience and authority. However, occasionally the MLRO (or DMLRO) may not be an employee of the regulated entity or its group. In such cases the regulated entity must still appoint an individual, and this specific appointment is not considered outsourcing. The individual is considered, for this purpose, to be an officer of the regulated entity. Therefore, F&P forms must be submitted relating to the individual in question (these roles must be held by a specific individual, not an entity), and the regulated entity must conduct the necessary due diligence on that individual, sign the declarations and ensure the individual not only has the competence to undertake the role but also the capacity to do so (vis-a-vis appointments they may have with other entities). 3 R1, R2, R4, R6, R7, R8

Isle of Man Financial Services Authority Page 14 of 38 12. What about section 29 of the IA2008? Under section 29 of the IA2008, regulated entities are required to notify the Authority in advance of the appointment of several persons who may be not be individuals, including corporate company secretaries and auditors and insurance managers. Appendix 8 provides further detail about this situation. 13. What if an individual is being appointed to more than one Controlled Function for a regulated entity? Which forms should I use? If an individual is being appointed at one time to more than one Controlled Function for a regulated entity, then only one form is normally required, as long as the regulated entity considers the attributes and Training and Competence Framework requirements for each of the Controlled Functions. If an individual is already in a Controlled Function but takes on another Controlled Function for the same regulated entity, then the relevant form is required at that time. For example, Mrs X is to be appointed as R4A – Executive Director / R11 – actuary / R9 – company secretary. Only one F&P 1 is required, and it is this form because at least one of the new Controlled Functions is notified and accepted. The F&P 1 should be annotated on the Continuation Page with a note about the R9 (a notified only) appointment being made at the same time. As another example, if Mrs X is to be appointed as R9 – company secretary / R17 – the individual responsible for the submission of regulatory returns / R23 – director of client companies for a CSP, then only one F&P 2 is required for all 3 appointments. That is because in this case all new appointments are notified only. In cases of doubt, please contact Authorisations@iomfsa.im. 14. What if a director is retiring and seeking re-appointment, as a corporate governance matter, are forms required? If a director is retired and reappointed as a corporate governance matter in one meeting, the Authority does not require any of the F&P forms unless the director is not successful in reappointment, in which case the Cessation Form – F&P 5 will be required.

Isle of Man Financial Services Authority Page 15 of 38 Appendix 1 – The components of fitness and propriety A. Integrity Integrity is demonstrated through an individual’s personal behaviour and business conduct, and evidence regarding their character. In assessing integrity, past actions or conduct that could indicate a lack of integrity, such as those that are dishonest or unethical, require consideration. Matters where a lack of integrity could be involved include (in respect of any jurisdiction) where: a) the individual is or was a sole trader, or a director or partner in a legal entity, which has been refused, prohibited, restricted or suspended from the right to carry on any trade, business or profession for which authorisation is required by the law of any jurisdiction; or has had any such authorisation revoked for a reason that was not voluntary; b) the individual has been the subject of any complaint made to the regulated entity, the Authority, the Financial Services Ombudsman Scheme or any equivalent body relating to activities subject to regulation in any jurisdiction. In considering whether such a complaint adversely affects the individual’s integrity and ability to carry out the Controlled Function, consideration should be given to the materiality of the complaint, the outcome of any inquiry or investigation or any similar process into that complaint if it has been concluded, and the length of time since the complaint was made; c) the individual is or has been subject to any disciplinary proceedings by bodies such as employers, industry associations etc., or has been issued a warning, reprimand or other administrative sanction by a regulatory authority, a clearing house or exchange, or a government or professional body; d) the individual has been dismissed, or asked to resign and did resign, from any profession, vocation, office or employment or from any position of trust or fiduciary appointment, whether or not remunerated; e) the individual has been a member of the governing body of a body corporate that has been struck off the register of companies (or its equivalent) by the Registrar of Companies (or its equivalent) on an involuntary basis; f) the individual has been disqualified or restricted from acting as a director or officer of bodies corporate, or has been disqualified from acting in any managerial capacity; g) the individual has: i. been convicted of an offence either of money laundering or terrorist financing (or their equivalent); ii. been convicted of an offence which could be relevant to that person’s ability to perform the relevant function; or iii. had a finding, judgment or order made against that person involving fraud, misrepresentation, dishonesty or breach of trust or where the individual is subject to any current proceedings for fraud, misrepresentation, dishonesty or breach of trust; h) the individual has been the subject of any civil penalty enforcement action taken by a regulatory authority;

Isle of Man Financial Services Authority Page 16 of 38 i) the individual has been untruthful or provided false or misleading information to the regulated entity or the Authority, or been uncooperative in any dealings with the regulated entity or the Authority; j) the individual, or any business with which the individual held a position of responsibility or influence has been or is being, investigated, disciplined, censured, suspended or criticised by a regulatory or professional body, a court or tribunal or any similar body, whether publicly or privately; or k) the individual has been found, by a regulatory authority, to have perpetrated or participated in any negligent, deceitful or otherwise discreditable business or professional practice. In making an assessment of integrity as an element of fitness and propriety, all relevant circumstances, on a case-by-case basis, should be considered. As part of the fitness and propriety assessment, individuals must disclose convictions which are not ‘spent’ within the relevant forms (see Appendix 6) and to the regulated entity. In the case of notified and accepted Controlled Functions, spent convictions must be disclosed directly to the Authority4 . All individuals in Controlled Functions are expected to ensure, by their conduct, and their involvement in setting policies, procedures and by providing appropriate supervision and training to others within the regulated entity, that the regulated entity’s business is conducted with integrity. Failure to do so, or failure to be open and honest with the Authority or other regulator may be relevant to an assessment of an individual’s or a regulated entity’s integrity. This includes the failure to complete a form or supply information required in an honest manner, or the deliberate or negligent omission of any relevant information. B. Financial standing The Authority considers that individuals in Controlled Functions should manage their financial affairs in a sound and prudent manner, and be in good financial standing. Therefore considerations should include matters such as whether an individual (in respect of any jurisdiction): a) has ever been declared bankrupt or is currently an undischarged bankrupt; b) has entered into a compromise arrangement with creditors; c) is, or has been, subject to any judgement debt, which has not been satisfied in full; or d) was a member of the governing body of an entity which has been the subject of insolvency. Any judgement debt obtained against an individual must be disclosed within the relevant forms (see Appendix 6). 4 The Rehabilitation of Offenders Act (Exceptions) Order 2001 allows the Authority to take account of convictions which would otherwise be treated as spent under the Rehabilitation of Offenders Act 2001

Isle of Man Financial Services Authority Page 17 of 38 A credit check should be undertaken on individuals proposed for Controlled Functions. If an individual is not resident in the IoM or UK a letter of good standing may be requested from their bank. In making an assessment all relevant circumstances, on a case-by-case basis, should be considered. C. Competence and capacity A regulated entity should ensure that all individuals who perform roles relating to activity that is regulated by the Authority (not only those in Controlled Functions) are competent for the tasks that they perform; and that they have the capacity (i.e. adequate time) to perform the tasks and meet the responsibilities of their role effectively. The Authority has issued a Training and Competence Framework which specifies the experience and, where necessary, academic or professional qualifications that are considered relevant to hold for various roles, including Controlled Functions. In making its notification, the regulated entity must consider the Training and Competence Framework, and whether the individual meets those standards. Having adequate capacity to undertake a Controlled Function must be considered by both the regulated entity and the individual seeking to take up a Controlled Function. It is possible that an individual may have the necessary qualifications and experience to undertake a Controlled Function, but inadequate time to do so effectively due to other roles or responsibilities assigned to them. Matters such as size and type of business, complexity, risk profile, organisation structure, target market etc. will not be the same within any two organisations. Different functions will entail different responsibilities and different levels of knowledge and expertise. For this reason, apart from some specific qualifications in certain circumstances, the Training and Competence Framework cannot point to conclusive knowledge or expertise that is required for each particular function. The regulated entity should make the assessment as to what makes an individual competent to perform the specific Controlled Function for that entity using its own knowledge, and taking into account all relevant matters. The Authority requires the regulated entity to set out these considerations and the rationale for its conclusions in F&P 1 - the Individual Questionnaire where competence is not consistent with the Training and Competence Framework, or where an individual has a number of roles or responsibilities potentially impacting on their capacity to be effective in the proposed Controlled Function. In such circumstances, the Authority may request the individual to attend an interview to seek further information or clarification on matters arising from the F&P form submitted. An interview may be undertaken when an individual does not, on the face of the information supplied, meet the experience or qualifications outlined in the Training and Competence Framework or if they are new to certain Controlled Functions. The purpose of interviews is to give the individual the opportunity to demonstrate that, despite a prima facie lack of qualifications or experience in a Controlled Function, they otherwise meet the Authority’s expected standards. Attendance is entirely voluntary, if the individual chooses not to attend an interview, the Authority will draw its conclusions based on the information available to it.

Isle of Man Financial Services Authority Page 18 of 38 In general terms, individuals holding, or applying to hold, a Controlled Function should have: a) a sound knowledge of the business of the regulated entity as a whole5 , through training or experience, and the specific responsibilities that are to be undertaken in the relevant function; b) a clear and comprehensive understanding of the regulatory and legal environment appropriate to the relevant function; c) professional or other qualifications that are appropriate to the relevant function; and d) sufficient capacity to perform the tasks and meet the responsibilities of the Controlled Function effectively, and not allow the conduct of concurrent responsibilities to impair their ability to discharge the duties of the relevant function or otherwise allow personal conflicts of interest to arise in carrying out the role. The lack of relevant qualifications, or serious or repeated breaches of legislation or codes of conduct in the Island, or elsewhere will, prima facie, suggest a lack of competence. With regard to individuals that hold Controlled Functions, a regulated entity should also ensure that: a) they remain competent for the work they do; b) they are appropriately supervised; and c) their competence and capacity are regularly reviewed. D. Learning the role – staff development Staff that are inexperienced within a Controlled Function should be given responsibility on a staged basis and with appropriate induction and mentoring until that individual can demonstrate their experience within the role. Examples include: • First time directors of a regulated entity should join an existing and experienced Board and be provided with suitable mentoring; • Newly appointed individuals providing financial or insurance advice should have the suitability of their advice reviewed by an experienced adviser/broker for period of time; • Individuals within a Trust and Corporate Service Provider that are new to directorship or trustee responsibilities in relation to client structures should initially be appointed to less active and lower-risk structures and work with experienced colleagues. The regulated entity should ensure it has the necessary controls in place regarding mentoring and training of developing individuals and be able to demonstrate this as part of its rationale for appointment. As part of the Authority’s supervision, it may assess the regulated entity’s controls and oversight in this regard. 5 NB for Independent Non-executive Directors, the business knowledge is likely to be broader and less specific to the regulated entity

Isle of Man Financial Services Authority Page 19 of 38 Appendix 2 – The Controlled Functions The Controlled Functions are set out in the table below. They fall into two main categories – those that require notification and acceptance by the Authority, and those that require notification only. In the absence of a legislative provision which requires a regulated entity to appoint a person to a Controlled Function, this guidance does not require a regulated entity to ‘create’ a Controlled Function where one did not previously exist. Instead a regulated entity should review its functions and determine whether any of its roles meet those listed. As an example, the regulatory requirements mean that some regulated entities must have an internal audit function. In this case the Head of the Internal Audit function will be undertaking Controlled Function R14. If a regulated entity is not required to have an internal audit function, and does not have this voluntarily, then there will be no Controlled Function R14. However, if a regulated entity is not required by regulatory requirements to have an internal audit function, but voluntarily does so, then it will have a Controlled Function R14. Likewise, there is no regulatory requirement to have a senior manager responsible for person providing investment or insurance advice, however if the regulated entity has such an individual, then they will be in Controlled Function R21. Regulated entities should apply substance over form when reviewing functions – it is the nature and responsibilities of the function, not the job title, that determines its categorisation. Importantly, the Authority does not require regulated entities to perform a retrospective exercise. Regulated entities must follow this Guidance and utilise the F&P forms at Appendix 6 for individuals taking up Controlled Functions after 1 August 2018; but this is not required for those individuals in position prior to 1 August 2018 if the procedures applicable before that date had been followed. Please note, if the Authority considers that a particular individual does not fall within a defined category of Controlled Function, but it nevertheless appears to the Authority that the individual has significant powers or responsibilities, then the Authority may require notification of the individual using F&P 1 - Individual Questionnaire, or F&P 3 - Controller Questionnaire (as the case may be), together with further information about their role and responsibilities. This is considered a notified and potentially accepted Controlled Function. This will enable the Authority to determine whether the role requires acceptance or just notification (in which case the Controlled Function will be R10 or R10A respectively). This situation is expected to be rare, and can only be utilised by the Authority. A regulated entity cannot determine that an individual is in Controlled Function R10 or R10A.

Isle of Man Financial Services Authority Page 20 of 38 Controlled Functions Type Guidance on role / responsibilities Controllers and owners R1. Controllers – of the regulated entity / of its immediate parent / of its ultimate parent company or the ultimate beneficial owner of the regulated entity Notified and accepted This includes the legal entity that is the immediate parent or ultimate parent of the regulated entity, as well as individuals meeting the definition of controller6 for the regulated entity / its immediate or ultimate parent company of a group structure as well as individuals that are ultimate beneficial owners of the regulated entity. R2. Not in use R3. Controllers – ‘intermediate controllers’ – i.e. non-individual controllers that do not meet the description of R1 but nevertheless are within the statutory definition of controller Notified and potentially accepted These will be ‘intermediate controllers’ which do not fall within the description at R1; for example, a holding company in the chain of ownership which is neither the regulated entity’s immediate nor ultimate parent. Members of governing bodies R4A. Executive directors of an Isle of Man incorporated* regulated entity Notified and accepted This Controlled Function also includes: • employees of an Insurance Manager proposed to be directors of a managed insurer (R4A or R4B) • employees of a Class 7 licenceholder proposed to be directors of a managed entity (R4A or R4B) • members of the management committees of credit unions (R4A) • persons proposed as directors of a corporate trustee of an authorised retirement benefits scheme (* whether or not that corporate trustee is incorporated in the IoM) (R4A). R4B. Non-independent, non-executive directors of an Isle of Man incorporated* regulated entity R4C. Independent non-executive directors of an Isle of Man incorporated* regulated entity (please refer to Appendix 10 for guidance on ‘Independence’) R5. Members of a governing body of a collective investment scheme (in respect of certain schemes only) Notified and accepted All members of the governing bodies of collective investment schemes should be fit and proper. However, the Authority only regards those of the following scheme types to be Controlled Functions: Authorised Schemes / Full International Schemes / Regulated Funds / Recognised Funds. R6. An individual who is a professional trustee of an authorised retirement benefits scheme Notified and accepted In this context, professional trustee means a trustee who undertakes this position by way of business. R7. An individual trustee who is not a professional trustee of a retirement benefits scheme Notified only Senior management and officers of a regulated entity R8. Chief Executive or Managing Director of an Isle of Man incorporated regulated entity, or the most senior executive in the Isle of Man responsible for a branch of a non-Isle of Man incorporated entity Notified and accepted NB: A Managing Director will also need to hold an R4A Controlled Function. It is also very likely that a Chief Executive will be a director and thus need to hold an R4A Controlled Function. R9. Individual who is the company secretary of an Isle of Man incorporated regulated entity Notified only 6 See s48 FSA2008, s26 IA2008 and s54 RBSA2000

Isle of Man Financial Services Authority Page 21 of 38 Controlled Functions Type Guidance on role / responsibilities R10. Key person Notified and accepted If the Authority considers that a particular individual does not fall within a defined category of Controlled Function, but nevertheless appears to the Authority to have significant powers or responsibilities, then the Authority may require notification of the individual using F&P 1 - Individual Questionnaire, or F&P 3 - Controller Questionnaire (as appropriate), together with further information about their role and responsibilities. This is considered a ‘notified and accepted Controlled Function’. This situation is expected to be rare, and can only be utilised by the Authority. A regulated entity cannot determine that an individual is in a notified and potentially accepted Controlled Function. R10A. Key person Notified and potentially accepted If the Authority considers that a particular individual does not fall within a defined category of Controlled Function, but nevertheless appears to the Authority to have significant powers or responsibilities, then the Authority may require notification of the individual using F&P 2 - Notification Only Form, together with further information about their role and responsibilities. This is considered a ‘notified only Controlled Function’. This situation is expected to be rare, and can only be utilised by the Authority. A regulated entity cannot determine that an individual is in a notified and potentially accepted Controlled Function. Assurance persons of or to a regulated entity R11. Appointed actuary of an insurer under s18 IA2008, or Head of Actuarial Function Notified and accepted NB. Head of Actuarial Function refers to the individual holding this function for a commercial insurer to whom para 5(1)(b) of the Corporate Governance Code of Practice for Commercial Insurers applies. R12. Principal control officer – of an entity regulated under the IA2008 Notified and accepted This Controlled Function should be used for individuals controlling the exercise of functions within the regulated entity, i.e. a role that fits within the definition of principal control officer (‘PCO’) set out at section 54 of the IA2008. Despite the following roles being capable of falling within PCO, they have specific competencies attached to them, therefore the more specific Controlled Function should be used rather than R12: Head of compliance (R13) / Head of internal audit (R14) / MLRO (R15) / DMLRO (R16) / Head of Actuarial Function (R11).

Isle of Man Financial Services Authority Page 22 of 38 Controlled Functions Type Guidance on role / responsibilities R13. Head of compliance Notified and accepted The individual responsible for ensuring or monitoring compliance with the regulated entity’s legal and regulatory obligations and required to provide objective assessment or objective reporting to the governing body of the regulated entity. In many regulated entities there will only be one compliance officer who will therefore be the Head of compliance, but in larger entities or groups there may be a team and an individual to whom other compliance officers / personnel report. In the case of groups, it is important for the regulated entity to identify the individual who will be / is exercising the functions of “Head of compliance” where this is set down in the relevant legislation. Depending on the structure of the group and the compliance team, this individual may be the one to whom the others report, or may be one of those compliance officers. However, there can be only one individual who holds the Head of compliance Controlled Function per regulated entity. In the case of branches, the Head of compliance will be the most senior individual with compliance responsibility locally, who may have a reporting function to Head Office / Group, but who will also be expected to provide reports to local senior management. This Controlled Function will, for example, encompass the individual nominated by certain Class 8 licenceholders under Rule 8.22(3) of the Financial Services Rule Book. Where a regulated entity outsources certain compliance services, please refer to section 11a of this guidance. Where an Insurance Manager is providing management services for an insurer, Head of compliance means an individual working for or on behalf of the insurer who is responsible for the compliance function of that insurer. R14. Head of internal audit Notified and accepted If a regulated entity has an internal audit function, this Controlled Function will be the individual responsible for monitoring compliance with the regulated entity’s internal strategies, policies and procedures; legal and regulatory obligations; risk management; or internal control systems and required to provide objective assessment or objective reporting to the governing body of the regulated entity. R15. MLRO Notified and accepted R16. DMLRO Notified only Please note, because the DMLRO is a notified only Controlled Function, if a DMLRO’s role is intended to formally change to become MLRO, this will require an F&P 1, because the MLRO is a notified and accepted Controlled Function. However, where a DMLRO deputises in the MLRO’s absence no F&P 1 is required. R17A. Person responsible for the submission of the regulatory returns to the Authority Notified only The individual (other than one mentioned at * below) who is responsible for the detail within, and accuracy of, the regulatory returns.

• An individual will not be in Controlled Function R17 if they are in any notified and accepted Controlled Function for the SAME regulated entity. R17B. Person responsible for the submission of AML/CFT data through STRIX to the Authority Notified only The individual who is responsible for the submission of AML/CFT data through STRIX to the Authority. Other persons of a regulated entity R18. Senior manager with significant influence Notified only An individual (other than one mentioned at † below) who reports directly to the governing body as a whole, or directly to an individual member of the governing body and is able to exercise significant influence and is responsible for the day to day management of a function which undertakes the regulated business of the regulated entity; in accordance with strategies, policies and procedures set out by the governing body. See Appendix 7 for more guidance. † An individual will not be in Controlled Function R18 if they are in any of the following Controlled Functions for the SAME regulated entity: R1 to R4A, R4B, R8, R10 to R16, R19 to R21A, R22A or B and R28.

Isle of Man Financial Services Authority Page 23 of 38 Controlled Functions Type Guidance on role / responsibilities R19. Financial controller Notified and accepted An individual (other than one mentioned at # below) who is able to exercise significant influence and responsible for the day to day management of the accounting function of the regulated entity in accordance with strategies, policies and procedures set out by the governing body.

An individual will not be in Controlled Function R19 if they are in the

Controlled Function of R4A (Executive Director) for the SAME regulated entity. R20. Head of operations Notified only Where they are an individual (other than one mentioned at ~ below) who reports directly to the governing body or directly to an individual member of the governing body and who is able to exercise significant influence. ~ An individual will not be in Controlled Function R20 if they are in the Controlled Function of R4A (Executive Director) for the SAME regulated entity. R21. Senior manager with responsibility for persons providing investment or insurance advice Notified and accepted An individual who is responsible for persons giving investment or insurance advice to clients. R21A. Individual providing investment advice to clients Notified and accepted NB: If an individual already holds Controlled Function R21 for the SAME regulated entity, and takes on R21A subsequently, an F&P 1 is not required, but the regulated entity must notify the supervision team responsible for the entity within the Authority of this additional appointment. Also, the individual may need to obtain additional documentation, such as an IoM Statement of Professional Standing, if one is not already held. R21B. Individual providing insurance advice to clients Notified only NB: This Controlled Function only applies to regulated entities that are registered under the IA2008. Branches of non-IOM incorporated regulated entities and non-EU permit holders under the IA2008 / Foreign branches of IoM incorporated entities R22A. Head office personnel who have a clear and direct responsibility for the IoM branch or who will be overseeing the work of that branch Notified and accepted The term ‘branch’ also includes a Class 1(3) Representative Office and a non￾EU permit holder under the IA2008. Such individuals should be a member of the senior management of the company of which the branch is part, and will often be in a Controlled Function (or similar) in their home jurisdiction. R22B. The most senior executive in an overseas jurisdiction, and responsible for a branch in that jurisdiction, of an IoM incorporated entity Notified and accepted Such individuals should be a member of the senior management of the company of which the branch is part, and will often be in a Controlled Function (or similar) in their host jurisdiction. Others, including officers of client entities R23. Director (or equivalent) or company secretary of a client entity of a CSP Notified only R24. Director (or equivalent) or company secretary of a body corporate acting as a director, nominee shareholder or company secretary of a client entity of a CSP Notified only R25. Trustee of a client trust of a TSP Notified only R26. Director (or equivalent) or company secretary of a corporate trustee of a TCSP Notified only R27. Council member of a client foundation of a TCSP Notified only

Isle of Man Financial Services Authority Page 24 of 38 Controlled Functions Type Guidance on role / responsibilities R28. Isle of Man Resident Officer Notified and accepted Applies to branches of non-IOM incorporated entities only that are regulated under the FSA08. R29. Other insurance managers (non-life insurers only) Notified and accepted Any individual within the IA2008 definition of manager that is not included within any other Controlled Function. Applies to non-life insurers only. Insurance group roles (where the Authority is the Group Supervisor) R30. Group Actuary Notified and accepted See Appendix 9.

Isle of Man Financial Services Authority Page 25 of 38 Appendix 3 – Controllers Controllers are defined in the regulatory legislation (see s.48 FSA2008, s.54 IA2008, s.54 RBSA2000 and s.26 CISA2008). They include some shareholders and owners of regulated entities. The regulatory legislation requires an applicant for regulatory permissions to satisfy the Authority that its controllers are fit and proper. Controllers may be individuals or bodies corporate, and in some cases legal arrangements such as trusts. Once an entity becomes regulated, it is required to notify the Authority in advance of changes in its controlling interests. In some cases, especially large, geographically dispersed groups, the regulated entity may not be aware of a proposed change, and as a result the obligation to advise the Authority of the change lies with the controller / potential controller. The regulated entity, its immediate parent and ultimate beneficial owners Controllers of the regulated entity, and those of its immediate or ultimate parent (if applicable), as well as individuals that are the ultimate beneficial owners of a regulated entity, are controllers falling within the notified and accepted Controlled Function R1. The proposed controllers are required to provide detailed information about the ownership structure of the regulated entity and key relationships within the proposed structure, utilising a Controller Questionnaire. This will also facilitate the Authority’s determination of which persons are ‘intermediate’ controllers (R3). Intermediate controllers of regulated entities (R3) • Intermediate controllers are considered by the Authority to be notified and potentially accepted. The proposed controller must provide advance notice of change together with detailed information utilising F&P 4 - Intermediate Controller Notification Form. This information will be used by the Authority to determine whether it needs to understand a particular intermediate controller in greater detail, and if it does so it will determine that the intermediate controller requires acceptance. Should that be the case, the intermediate controller will be required to provide the Authority with sufficient information to satisfy the Authority of its fitness and propriety. The fit and proper standards applying to controllers Individuals that are controllers will need to meet the same fit and proper standards as individuals in other Controlled Functions, although competence may not need to be considered if the controller undertakes no other Controlled Function. Other persons, such as corporate entities, that are controllers also have to be fit and proper. Therefore the concepts of integrity, financial standing and competence apply. The integrity of a controller that is a corporate entity will be affected by matters such as litigation, whether it is held in good standing with its listing authority (if any) and / or regulator, public censure, etc.

Isle of Man Financial Services Authority Page 26 of 38 The financial standing of such a person will be affected by matters such as financial judgements, liquidation, insolvency, etc. The competence of such a person will be affected by its legal capacity (and the holding of all necessary regulatory permissions) to be a controller of the regulated entity. Captive insurers Forms F&P 3 and F&P 4 apply to, and are required for, changes in the control of captive insurers, as they are for any other regulated entity. However, as a proportionate response to the very limited circumstance set out below, and in acknowledgement of the fact that a captive insurer is typically a small part of a wide group of, often, a non-financial services nature, Part C of Form F&P 3 need not be completed in the following circumstance (where all the bullet points apply): • If the only change is to an individual who will be the CEO or Managing Director of the ultimate parent company of the captive insurer; • If the captive insurer is part of a non-financial services group; • If the ultimate parent company has not changed, and therefore remains the same legal entity; and • If the ultimate parent company is listed on a major stock exchange. Please bear in mind, however, that the Authority must still receive written notice of the change under section 29 of the Insurance Act 2008; which means completion of Part C of Form F&P 3 may be the chosen way of giving that notice in any event. Also the Authority reserves the right to require the form’s full completion if it determines that is appropriate in all the circumstances. Isle of Man branches of overseas regulated entities Forms F&P 3 and F&P 4 apply to, and are required for, changes in the control of Isle of Man branches of overseas regulated entities, as they are for any other regulated entity. However, as a proportionate response to the very limited circumstance set out below, and in acknowledgement of the fact that an Isle of Man branch may be part of a much wider entity and group that is subject to consolidated supervision by a home regulatory authority, Part C of Form F&P 3 need not be completed in the following circumstance (where all the bullet points apply): • If the only change to “control” is in relation to an individual who will be the CEO or Managing Director of a body corporate of which the regulated entity (the legal entity which the Isle of Man branch is a part of) is a subsidiary; • If the group of which the regulated entity is part is subject to consolidated supervision by its home regulatory authority; • If the individual referenced above is subject to fit and proper checks by a relevant overseas regulatory authority; and • If the ultimate parent company / group is listed on a major stock exchange.

Isle of Man Financial Services Authority Page 27 of 38 Please bear in mind, however, that the Authority must still receive written notice of the change; which means completion of Part C of Form F&P 3 may be the chosen way of giving that notice in any event. Also the Authority reserves the right to require the form’s full completion if it determines that is appropriate in all the circumstances.

Isle of Man Financial Services Authority Page 28 of 38 Appendix 4 – Optional occasional fitness and propriety declaration by an individual in a Controlled Function (other than R1 or R3) to its regulated entity The fitness and propriety standards and a declaration that they are met is included within the relevant forms (see Appendix 6) and is therefore required as part of an individual’s initial fitness and propriety assessment. Additionally, a regulated entity may wish to consider whether individuals in Controlled Functions (other than those in Controlled Functions R1 and R3) should provide fitness and propriety declarations to it on an occasional basis. If a regulated entity so determines, an example declaration is set out below. If used, it should be retained by the regulated entity, the Authority does not require a copy of it. I …………[NAME]… .. …… holding the Controlled Function(s) of XXXXX with [regulated entity YYYYYYYY] hereby declare that I have: • maintained, and will continue to maintain, my fitness and propriety, in terms of my integrity, financial standing and competence at all times; • in my communications with the Isle of Man Financial Services Authority, been open and truthful, full and accurate in all respects and not misleading, and will continue to be so; • ensured I have, and will maintain, the minimum competence requirements (where applicable) and appropriate qualifications, experience, competence and capacity to properly discharge the duties and functions of my Controlled Function(s); • conducted, and will conduct my affairs in a sound and prudent manner; • ensured that in the performance of my Controlled Function I have complied, and will continue to comply with, the relevant regulatory standards and requirements; and • that I will notify [the regulated entity] without delay if I for any reason no longer comply with the fitness and propriety standards. Signed: Dated:

Isle of Man Financial Services Authority Page 29 of 38 Appendix 5 – Due diligence This table sets out the due diligence checks that should be undertaken on individuals proposed for Controlled Functions: Due diligence By the Authority (Notified and accepted Controlled Functions only) By the Regulated Entity (All Controlled Functions) Details of check Competence ✓ Documentary evidence to show the individual fulfils the Training & Competence Framework applicable (if any) for the Controlled Function(s) undertaken ✓ Declaration within the relevant form that the individual fulfils the Training and Competence Framework requirements for the Controlled Function(s) undertaken (if any) ✓ Professional body check (where applicable) (e.g. covering issues such as: is memberships held / is it current / has disciplinary action been taken) ✓ Previous & current employers’ references (minimum last 10 years where possible) ✓ Capacity check (e.g. covering issues such as does the individual have enough time to devote to the role when considering other roles with the regulated entity, as well as other roles held elsewhere) ✓ Declaration within the relevant form that the individual is able to perform the functions required without being exposed to unmanaged material conflict ✓ ✓ Consideration of the reasonableness of the statement from the regulated entity of why the individual is competent and capable of fulfilling the Controlled Function(s) Integrity ✓ (notified and accepted CF only – although good practice in notified only cases too) Criminal record check (individual) ✓ (notified and accepted CF only – although good practice in notified only cases too) Review of criminal record check data ✓ Individual self-certification of all convictions

Isle of Man Financial Services Authority Page 30 of 38 Due diligence By the Authority (Notified and accepted Controlled Functions only) By the Regulated Entity (All Controlled Functions) Details of check ✓ (notified and accepted CF only) Comparison of individual self-certification of all unspent convictions to data from check ✓ Review of spent convictions notified to the Authority ✓ Search for regulatory actions against individual inc. director disqualifications ✓ Inter-regulator checks ✓ ✓ Review of individual’s self-certification of all regulatory actions including pending actions and director or officer disqualifications ✓ ✓ Consideration of the reasonableness of the statement from the regulated entity of its assessment of the integrity of the individual Financial standing ✓ Court judgements search ✓ Insolvency lists ✓ Credit check ✓ ✓ Consideration of individual self￾certification of judgements etc. ✓ Consideration of the statement from the regulated entity of its assessment of the financial standing of the individual General ✓ Identity and other due diligence checks ✓ Consideration of the acceptability of the Controlled Function held by the signatory to the declarations required on behalf of the regulated entity (i.e. sufficiently senior / authorised to sign on behalf of the regulated entity) ✓ ✓ Website checks ✓ ✓ Consideration of reasonableness of the declaration of individual that they meet the fitness and propriety standards

Isle of Man Financial Services Authority Page 31 of 38 Appendix 6 – Relevant forms Please note: all forms submitted must be signed originals, not copies. Form Name Form Number Usage Individual Questionnaire F&P 1 To be completed when an individual is being proposed for a notified and accepted Controlled Function Notification Only Form F&P 2 To be completed when an individual has been appointed to a notified only Controlled Function Controller Questionnaire F&P 3 To be completed in respect of Controlled Function R1. This form is designed for use by both corporate controllers (Part B), and individuals that are controllers (Part C). For new individual controllers of the ultimate parent company of a captive insurance entity, or Isle of Man branches of overseas regulated entities only, see Appendix 3. Intermediate Controller Notification Form F&P 4 To be completed in respect of Controlled Function R3 (where a proposed acquisition of control will only result in a change of intermediate parent within the regulated entity’s group structure, and will not result in a change to the controllers of the regulated entity, its immediate parent or ultimate beneficial owners) Individual Controlled Function Cessation Form F&P 5 To be completed in respect of any individual where a Controlled Function they hold ceases

Isle of Man Financial Services Authority Page 32 of 38 Appendix 7 – R18 Senior Manager with Significant Influence – Decision Tree

Isle of Man Financial Services Authority Page 33 of 38 Appendix 8 – Section 29 of the IA2008

1. How does a corporate person have its fitness and propriety assessed? a) Corporate Company Secretary An individual’s company secretary role is a notified only Controlled Function (R9) which means that advance notice to the Authority of the appointment is not required. The regulated entity must nevertheless have fully conducted and completed its own due diligence and be satisfied that the individual is fit and proper before they are able to take up the role. The role of company secretary may be filled by a corporate entity under the IA2008. Form F&P 2 is for individuals and does not easily accommodate corporate entities; therefore that form should not be used for corporate appointments. The regulated entity must instead notify the Authority in writing7 , within 10 business days following the date of appointment, of – • the corporate person’s appointment, and which Controlled Function(s) it is in relation to; • the name and address of the corporate person; and, • the date of appointment. b) Auditor and Insurance Manager These two connected person roles require notification to the Authority under the IA2008 and are likely to be non-individuals8 but they are not Controlled Functions. Before a regulated entity may appoint an auditor or an insurance manager, the regulated entity must have fully conducted and completed its own due diligence. The regulated entity must then notify the Authority in writing, at least 28 days in advance of the intended appointment9 , of – • the auditor or insurance manager’s name and address, and • the date of appointment. After receiving a notification, the Authority may ask for additional information to satisfy itself as to the fitness and propriety of the proposed appointee. If the proposed auditor or insurance manager takes up the role without the Authority’s prior acceptance of the regulated entity’s intention to appoint that person, it is important to note that this will not prevent the Authority objecting to the appointment should that be necessary. Consequently, a regulated entity may wish to consider not appointing the auditor or insurance manager unless the regulated entity receives the written acceptance of the Authority to the appointment. 7 It is expected that notification will take the form of an email or letter 8 The Authority would always expect an auditor of an authorised insurer to be a non-individual. If an individual is appointed as a regulated entity’s auditor, an F&P 1 should be provided to the Authority. 9 As required by section 29(1) of the IA2008

Isle of Man Financial Services Authority Page 34 of 38 The assessment of fitness and propriety is case specific – it relates to the person proposed by the regulated entity, but consideration will also take into account the particular role and the regulated entity in question. Any acceptance is specific to the person, the particular role and in the context of the regulated entity itself. This is because an entity may be considered to have sufficient competence in the case of regulated entity ABC Ltd (bearing in mind the nature of its business, its compliance history, client type) but to have insufficient competence for the same role with regulated entity XYZ Ltd.

Isle of Man Financial Services Authority Page 35 of 38 Appendix 9 – Insurance – Group Supervision The IA2008 includes the power to enable the Authority to act as Group Supervisor of insurance groups and to make Regulations which apply to insurance groups of which the Authority has determined it is the Group Supervisor. Where the Authority determines that it is appropriate for it to be the Group Supervisor, the authorised insurer (or the largest authorised insurer should there be more than one) is determined to be the “designated insurer”. The designated insurer is the Authority’s point of contact and is responsible for facilitating and maintaining compliance by the insurance group with the requirements of the IA2008 and provisions made under it. Enforcement of the requirements in respect of the insurance group is via the designated insurer. The above requirements currently apply only to long term business and the Authority has determined that it is the Group Supervisor for some long term business insurance groups. The Insurance (Group Supervision) Regulations 2019 apply requirements at the group level in the areas of solvency, governance, reporting and fitness and propriety with effect from 1 July 2019. In addition to the fitness and propriety requirements at the level of the authorised insurer, the Authority expects that those responsible for the direction and management of the insurance group should also be fit and proper. The Controlled Function of R30 - Group Actuary is a notified and accepted role, for which Form F&P 1 is required. It is subject to similar requirements as those to which the Appointed Actuary of an authorised insurer is subject under section 18 of the IA2008. The Authority also requires notification of the auditor of the head of the group and expects it to be suitable for that role in terms of its expertise and capacity, but this role if not a Controlled Function and should be notified purely in writing to the Authority.

Isle of Man Financial Services Authority Page 36 of 38 Appendix 10 – Independence The term ‘independence’ is most often used in connection with independent non-executive directors of regulated entities, which is the context in which the guidance below is set. However, the indicators of independence may also be relevant to other positions. Where there is a requirement for an individual’s independence, in establishing the sufficiency of the independence it is necessary for the regulated entity to exercise judgement and proportionality – both in the initial proposal of the individual for the role, and during the holding of the role (as some indicators may change with the passage of time). When proposing an individual in an independent role, a regulated entity should be able to demonstrate its consideration of this guidance. Because the sufficiency of an individual’s independence will depend on a variety of factors, it should be assessed on a case-by-case basis. Set out below are factors considered relevant to the regulated entity’s determination. The primary desired outcome is to ensure that the individual is free from any relationships or circumstances which could: • materially interfere with the exercise of his/her independent judgement in relation to the affairs of the regulated entity; • distort the way in which the individual conducts his/her role as director of the regulated entity, or • result in an advantage to the individual, or a disadvantage to another person. In seeking to achieve independence, the following non-exhaustive list of indicators will assist regulated entities and the Authority in evaluating any degree of independence. Indicators of independence • Not having a current material business relationship with the regulated entity or the group of which it is part. • Not having had a material business relationship with the regulated entity, or the group of which it is part, within the previous 3 years. • Not having been an employee of the regulated entity, or its group of companies, within the previous 5 years. • Not having been a provider of professional services to the regulated entity, or its group of companies, within the previous 3 years. • Not holding cross-directorships or having significant links with other directors of the regulated entity through involvement in other companies or bodies. • Not receiving any additional remuneration or benefits in relation to the appointment from the regulated entity or its group of companies, apart from a director’s fee. • Not having close family ties with any of the regulated entity’s advisors, directors or senior employees. • Not having a material financial or other obligation to the regulated entity, the group of which it is part, or any of its directors.

Isle of Man Financial Services Authority Page 37 of 38 • Not representing a significant shareholder of, or not holding shares of more than 5% in, the regulated entity or a company in the group of which it is part. • Not serving in an independent capacity as director for the regulated entity for more than 9 years from the date of their election.

Isle of Man Financial Services Authority Page 38 of 38 Version Control: July 2018 – coming into effect 1 August 2018 1 July 2019 20 July 2020 1 March 2022 1 March 2023 24 May 2024: Minor amendments including: (i) updated contact details for submission of spent convictions; (ii) email address for ‘in case of doubt’ queries; and (iii) new Controlled Function R17B 4 July 2024: Revision to guidance for Controlled Function R17B 4 August 2025: Minor amendment to include the inclusion of criminal records checks for F&P1 applications 8 December 2025: Minor amendment to split out R10 to distinguish between notified and accepted appointments (R10) and notified only (R10A).