Financial Services Act 2008 – Guidance on the Financial Services Rule Book 2016

Last updated: January 2024 Page 1 of 34 Financial Services Act 2008 – Guidance on the Financial Services Rule Book 2016 1 PART 1 – INTRODUCTORY Introductory Guidance 1.1 Confirmation of oral notification The Authority accepts notification either by letter or by e-mail except where a signed document is required by a rule, in which case a scanned signed copy followed up by the original signed paper document is accepted. However, e-mail may be insecure and is sent entirely at the sender’s risk. The Authority’s central e-mail address is info@iomfsa.im. PART 2 – FINANCIAL RESOURCES AND REPORTING Financial resources and reporting Guidance 2.5 Misleading financial returns Materiality should be considered as an amount, disclosure or previous error which, if not disclosed to the Authority, would or may affect the Authority’s view of the licenceholder. If, but for the error, a licenceholder would have made a notification under Rule 2.31 (Notification of actual or potential breach) then the error is material. Otherwise, the assessment of materiality is a matter of professional judgement on the part of the licenceholder. 2.9 Accounting standards Rule 2.9 would cover the use of IFRS as adopted by the jurisdiction in which a company has been incorporated. For example, IFRS as adopted by the EU for public companies would meet the rule. The website www.ifrs.org has information about the adoption of IFRS at national level.

1 It is the Authority’s expectation that guidance is followed unless alternative processes are adequate.

Isle of Man Financial Services Authority Last updated: January 2024 Page 2 of 34 2.10 Annual financial statements of parent and holding companies, trusts or foundations If the parent of a licenceholder is a public company which publishes its audited financial statements in accordance with requirements for listing or quotation on a stock exchange, then a notification accompanied by a link to the published document would be regarded as providing a copy of the financial statements under this rule. Unless stated otherwise, the Rule Book 2016 requires audited financial statements for the immediate parent company only, rather than every parent company where the ownership structure includes a chain of several companies. The Authority, however, retains the ability to request confirmations/financial statements from other related parties in the ownership chain, where relevant. The extended Guidance - Rule 2.10 explains in more detail. It also explains the process and circumstances where a licenceholder may wish to request a modification in relation to the provision of immediate parent company financial statements. Where there was a modification under the previous Rule Book 2013 in relation to immediate parent financials this will be retained but may require amendment to meet the revised rule. The Authority expects to see consolidated financial statements (where possible and, in particular, where the licenceholder has a direct financial reliance upon the parent entity) to better understand the true size and obligations of the group, and to determine how the group position may impact on the licenceholder. 2.11 Change of annual reporting date (IOM incorporated) A licenceholder under the Financial Services Act 2008 must receive the Authority’s consent in accordance with rule 2.11 before it can change its accounting date. Additionally, 1931 Act companies, whether licenceholders or not, must receive advance permission from the Authority under the Companies Act 1982 (unless it has revised its M&A) for such a change. The Authority’s considerations under its Companies Act functions may be different to those under its regulatory functions. [Note: The approval of single-year changes is a function of the Authority in section 2 of Companies Act 1982, which applies to ALL 1931 Act companies. Alternatively, section 7 functions apply to groups.]

Isle of Man Financial Services Authority Last updated: January 2024 Page 3 of 34 2.12 Accounting records (IOM incorporated) and 2.15 Accounting records (Non-IOM incorporated licenceholders) The attached document cross-references the Rule Book requirements for Record Keeping. 2.13 Accounts of subsidiary and associated companies If a licenceholder does not propose to produce audited financial statements for a subsidiary (other than a shelf company), on the basis that the subsidiary has not traded in the financial year in question, the Rule Book 2016 requires both the licenceholder and the auditor to provide a written confirmation in accordance with rule 2.13(2). Auditors should include a list of subsidiaries (under FRS 102 paragraph 33.5) in the Notes to the audited financial statements. The Authority would also expect to see an indication of the nature of the business activities of the subsidiary. There is no statutory definition of a “non-trading company”. “Non-trading” for these purposes means a company that is providing services but is not getting paid for those services i.e. it has no income or expenditure. A company that acts as a nominee shareholder, corporate director or corporate trustee is regarded by the Authority as non-trading. Per the Companies Act 2006, a “dormant company” means a company which is administered by a Class 4 licenceholder and which has not undertaken any activity by way of business or otherwise, is not part of any group, has neither received income nor incurred expenditure other than any costs associated with the incorporation of the company and issue of its shares and has no assets other than the consideration paid for those shares. For the avoidance of doubt, the Authority considers all dormant companies as non-trading but a non-trading entity is not considered dormant as it is providing services. 2.18 Charges As part of the notification the reason for the creation of the charge should be provided to the Authority, including who the charge(s) is granted to, and over which assets the charge is granted. Information about the type of charge, including whether it is fixed or floating should also be provided. Licenceholders should ensure that auditors provide the Authority with details of charges as well as an attestation that each charge has been notified to the Authority.

Isle of Man Financial Services Authority Last updated: January 2024 Page 4 of 34 2.19 Capital resources The Authority has issued a guidance note for deposit takers titled Internal Capital Adequacy Assessment Process which provides advice regarding what should be considered in establishing an ICAAP. Deposit takers must comply with minimum capital requirements for the CET1 Ratio, Tier 1 Ratio and Total Capital Ratio. There is a 1% trigger, or buffer, level (or a higher level if specified by Direction) at which point notification to the Authority is required, for the Total Capital Ratio only. Although there is no prohibition on deposit takers operating within any required 1% buffer, once a deposit taker’s actual ratio(s) falls within the notification level, it will be a signal that remedial action may be necessary to ensure that sufficient capital is held for a deposit taker to operate above its minimum ratio. 2.20 Deposit taking returns – Isle of Man incorporated and 2.23 Deposit taking returns – non-Isle of Man incorporated Deposit taking returns must be in the format specified by the Authority. The return forms can be accessed via the links below:  IOM branches of deposit takers incorporated outside the Island  Deposit takers incorporated in the Island  Lending reporting form Guidance for the completion of the deposit taking returns can be found here. 2.21 Contents of annual financial return In (1)(c) a deposit taker is required to provide a reconciliation of all material differences between the deposit taking returns and the deposit taker’s audited financial statements. There is no definition of materiality, but an example would be a difference in the pre-tax profit figures. Where there are no material differences, a deposit taker should confirm this fact to the Authority in writing. 2.22 and 2.24 Publication of annual financial statements With respect to Rule 22(1)(c) and 24(1)(c) the licenceholder should ensure that the annual financial statements can be easily found and are accessible on the relevant website(s).

Isle of Man Financial Services Authority Last updated: January 2024 Page 5 of 34 2.30 Financial resources requirements See extended Guidance - Financial Resources Statements (FRS). In respect of Appendix 3 Note 4, the Authority has issued extended guidance: Qualifying Subordinated Loans. In respect of Appendix 3 Note 12, in general the Authority expects expenditure to be calculated on a realistic basis in the licenceholder’s accounts. Cross-subsidisation does not reduce the importance of a realistic Expenditure Based Requirement (“EBR”) calculation. The purpose of the Liquid Capital Requirement is to ensure that a licenceholder has sufficient liquid assets to cover three months expenditure. Therefore, if not all costs of the licenceholder are reflected in its EBR, the Authority expects the licenceholder to discuss this matter with the Authority to determine if any adjustments to the licenceholder’s EBR are necessary. There is scope for some flexibility if the arrangement is between two licenceholders in the same group, because the EBR must be met in one or the other licenceholder, irrespective of the level at which services are charged. The Authority has issued communications regarding circumstances where one or more directors have chosen to draw no (or only minimum) salaries. See here for a summary.

Isle of Man Financial Services Authority Last updated: January 2024 Page 6 of 34 2.32 Contents of annual financial return The financial resources statement submitted under Rule 2.32(a) must be calculated in accordance with Appendix 3. For the avoidance of doubt, licenceholders are not obliged to use the FRS spreadsheet which is provided by the Authority and they may generate the statement from their accounting system or input the data manually into a document. However, the statement must be laid out in the same format as Appendix 3. See the Guidance - Financial Resources Statements (FRS) on how to complete the FRS correctly. If an additional detailed Statement of Profit and Loss is required under Rule 2.32(b) it should provide cost of sales and administrative expenses, with each heading broken down into relevant categories of expense. The categories will vary according to where the actual expenses fall. For administrative expenses this might typically include employment costs (broken down into directors’ fees, wages and salaries, NI, discretionary bonuses etc), property costs (broken down into relevant figures), general administrative expenses (broken down into relevant figures) and legal and professional costs (broken down into relevant figures). The detailed Statement of Profit and Loss should always itemise any amount which is specified in the Financial Resources calculation. Rule 2.32(c) clarifies that the auditor must either provide a reconciliation or confirm that none is required. Where a reconciliation is required, this should clearly show the adjustments to all sections of the financial resources statement and include the effects on the net tangible assets and liquid capital. Where the only amendment to the statement is an update to Part C for the current audited figures, a reconciliation is not required. 2.33 Interim financial returns See the Guidance - Financial Resources Statements (FRS) on how to complete the FRS correctly. The Authority has published a document Guidance Note – Limited Partnerships and Schemes which includes, in respect of Class 4 licenceholders which do incidental Class 3(11) or 3(12) business: “Where the only Class 3 activities relate to a small number of private schemes with no more than 10 individual investors, the Authority may make an exception from the requirement to submit interim financial returns.”

Isle of Man Financial Services Authority Last updated: January 2024 Page 7 of 34 2.35 Monitoring of financial resources requirements The rule gives flexibility as to the timing of the calculations. Calculations to demonstrate compliance with the Authority’s financial resources requirements must be completed at least once in each quarter and no later than one month following each quarter end. However, in order to conduct the reconciliation required by Rule 2.32(c), one of the calculations should be on the last day of the licenceholder’s financial year. 2.36 Payment Services’ Returns See Class 8(2)(a) quarterly return - specified form and Class 8 Quarterly Return guidance.

Isle of Man Financial Services Authority Last updated: January 2024 Page 8 of 34 PART 3 – CLIENT MONEY, TRUST MONEY, RELEVANT FUNDS AND CLIENT COMPANY MONEY Client Money etc. Guidance 3.2 Interpretation: general The definition of client includes a corporate trustee in order to extend the protection of the clients' money rules to the licenceholder's corporate trustee, acting in the capacity of trustee. Rule 3.3(4) explains that money that has been paid away to the client is not “client money” under these rules. The Rule Book 2016 includes ‘nominee bank account’ to clarify that an account in the name of a Class 2 or 3 licenceholder’s nominee company constitutes a ‘client money account’ for the purposes of the Rule Book. 3.3 Holding “client money” Money invoiced and received by a licenceholder from a client as payment in advance for the provision of its services to the client (such as annual fees or standing charges) is not clients’ money if it is due and payable to the licenceholder at the time of receipt. However, money invoiced and received by a licenceholder from a client, whether as a disbursement or otherwise, which is or will be due to a third party who is a creditor of the client or a client company (such as taxes or registry fees) is clients’ money and should be held in a clients’ account until due and payable. Rule 3.3(2)(a) refers to where a relevant agreement is in force between a licenceholder and a client. There have been instances, for example, where the client has been dissolved and cash belonging to that dissolved entity is still held in the clients’ money account. This type of money is no longer clients’ money and is likely to be ‘bona vacantia’ and therefore should vest in Treasury (Per Section 274 of the Companies Act 1931). 3.5 Duty to hold client money separately Sub-paragraph (4)(b) makes allowance for an exceptional circumstance where it might not be possible to apply the clients’ money rules. The Authority would expect licenceholders to apply the protection of the clients’ money rules to their clients wherever possible.

Isle of Man Financial Services Authority Last updated: January 2024 Page 9 of 34 3.6 Client’s Account Information A licenceholder must provide a clients’ money information sheet to (i) all new clients who utilise a client money bank account (except client subscription and/or redemption accounts); and, (ii) any existing clients when they pay money into a client money bank account (except client subscription and/or redemption accounts) and have not already been provided with a client money information sheet. Evidence of the despatch of the information sheet might be in the form of a copy of the outgoing letter or e-mail. The specified Clients’ Account Information can be found on the Compliance Support page of the website. It is not necessary to send all of the material to every client, the form indicates which paragraphs must or may be sent out to clients of each Class of licenceholder. 3.7 Notification of receipt of client money in certain cases This rule confirms the required actions where a licenceholder receives client money which it is not authorised to hold. 3.9 Operation of client bank account Where multiple clients bank accounts are established at the same bank the Authority will accept one letter from that bank confirming that all such accounts will be treated in the same manner provided that a detailed list of all of the accounts is provided. Where a client bank account is held in a country or territory outside the Island, the Authority expects the licenceholder to document that it has met the requirements under Rule 3.9(4)(a) or (b). A licenceholder may decide that receipt of a letter from the overseas bank containing the wording specified in Rule 3.9(3) is sufficient to satisfy Rule 3.9(4)(a), however, this consideration should be documented. Rule 3.9(5) - If a client bank account has gone overdrawn due to an error by the licenceholder, the Authority expects the licenceholder to incur the charges/interest in relation to the overdrawn account. Rule 3.9(6)(a) allows a licenceholder to hold a small balance on clients’ money accounts, for example to meet bank charges. Such amounts should be kept to the minimum necessary (suggested limit – no more than £100). Rule 3.9(11) requires dual signature control over client bank accounts and nominee bank

Isle of Man Financial Services Authority Last updated: January 2024 Page 10 of 34 accounts so that all payments through client accounts are independently reviewed and authorised by a second individual. It is for the licenceholder to determine at what level and by whom sign-off is required. The Authority would expect the nearest practical equivalent to be applied in the operation of on-line banking. For example, another form of second sign-off where not possible via the on-line banking system. TCSPs commonly request their clients to make payments into the client account. Whilst this can result in non-client money being paid into the client account, this is considered preferable to the risk of client money not being properly protected. However, any non-client money should be transferred out of the client money account as soon as possible once it has cleared. 3.10 Records to be kept by licenceholder This rule relates to record keeping and does not require the implementation of real-time accounting systems. It requires the licenceholder to maintain proper records of client money received, paid or held by it. The Authority expects licenceholders to have a full documented trail of all balances held in its client money bank accounts. Rule 3.10(2) requires a ledger to be kept up to date for all transactions and all balances for all accounts. As an example, this can be performed using a simple spreadsheet. Without ledger accounts, the licenceholder will be unable to demonstrate compliance with Rule 3.10 (2)(c)(iv) or complete the reconciliation required by Rule 3.12. Rule 3.10(4) requires that records are clear and accurate. Licenceholders need to have a record of what each transaction relates to. For example, a transaction for payment of fees should have a supporting invoice and authorisation of payment from the client. Records should clearly identify the client that money relates to, and should be able to show all transactions relating to, one client, usually in the form of an accounting ledger or spreadsheet. 3.11 Accounting for and use of client money Rule 3.11 has been updated to clarify that client money does not belong to the licenceholder and as such should not be included on the licenceholder’s balance sheet/statement of financial position. Related credit balances should also be excluded.

Isle of Man Financial Services Authority Last updated: January 2024 Page 11 of 34 3.12 Reconciliation This rule details the requirement that all client bank accounts must be reconciled at least monthly and to the same date does not prevent more active accounts from being reconciled more often. Rule 3.12(2)(g) only applies where reconciliations are undertaken on a monthly basis and not more frequently, for example, to prevent the January reconciliation being undertaken on 30th January and then the February reconciliation being undertaken on 1st February. All transactions must be recorded:

1. in the licenceholder’s own client money records (electronic ledger or spreadsheet showing the client and the date, nature and value of the transaction); and
2. in each individual client entity ledger. During regulatory visits, the Authority has encountered licenceholders who have failed to evidence full reconciliations:
3. Rule 3.12 requires that bank statements are reconciled to the licenceholder’s client money records; and,
4. the total of the licenceholder’s client money schedules in respect of each client are reconciled to the total of all the licenceholder’s client bank accounts and nominee bank accounts ledgers’ balances. The requirement of Rule 3.12(2)(b) to reconcile all client money bank accounts to the same date is so that individual client balances can be reconciled to overall total balances held on behalf of all clients to ensure full reconciliation. Some licenceholders have commented that they may not be in a position to carry out a live reconciliation on the same date because of differences in bank statement dates. However, bank accounts should be reconciled to the same date. The growth of online banking should reduce any operational difficulties over time. Rule 3.12(2)(c) is to ensure that the reconciliation, including 4-eyes check, is performed within 20 business days of the bank statement date. Normal timing differences in Rule 3.12(2)(f) could include for example, lodgements recorded as receipts but not yet credited to the bank statement and outgoing cheques which have been recorded as payments but not yet presented and recorded in the bank statement. If an amount remains outstanding at the first reconciliation following the transaction this would be classed as a normal timing difference. However, if it appears as a reconciling item at the following reconciliation, this would not. The Authority suggests 60 days as a rule of thumb, whereby if a cheque hasn’t been banked after 60 days it is unlikely that it will be banked.

Isle of Man Financial Services Authority Last updated: January 2024 Page 12 of 34 3.22 Accounts for margined transactions Under Rule 3.22(2), only licenceholders that actually undertake margined transactions are subject to this rule. 3.28 Duty to hold money belonging to a client company separately This rule establishes a norm that client companies should have their own bank account. However, it does, by exception, allow the use of a client bank account. The use of a client bank account may be appropriate where, for example, the company usually has insufficient funds or turnover to justify the opening of its own bank account. 3.31 Duty to hold trust money separately This rule establishes a norm that trust money (including that relating to any trusts that have either a corporate trustee or private trust company) should be paid into a separate account for the trust. However, it does, by exception, allow the use of a clients’ money account. The use of a clients’ money account may be appropriate where, for example, a TSP holds several small amounts of money which form the assets of a number of trusts and opening a separate account for each such trust would incur disproportionate bank charges, which would rapidly erode the balances held. Please note, no exceptions to the norm are permitted where a related party act as trustee under the Financial Services (Exemptions) Regulations 2011. 3.34 Reconciliation Rule 3.34(1) sets a minimum frequency of annual reconciliation (no more than 12 months apart) for trust accounts. Rule 3.34(2)(b) is to ensure that the reconciliation, including 4-eyes check, is performed within 20 business days of the bank statement date.

Isle of Man Financial Services Authority Last updated: January 2024 Page 13 of 34 PART 4 – CLIENTS’ INVESTMENTS Clients’ Investments Guidance 4.1 Interpretation of terms in this Part for licenceholders of Class 3 Part 4 does not apply to activities of another Class conducted by a licenceholder, merely because that licenceholder is also authorised under Class 2. This rule highlights the selective application of this Part to investment activities carried out as part of services to collective investment schemes (Class 3). This Part does not apply to any safe custody services which are not part of regulated activities under the Act. For the avoidance of doubt, if a licenceholder conducts unregulated safe￾keeping, it should explain to clients that is providing services on an unregulated basis. 4.7 Reconciliation of investments and title documents Under Rule 4.7(3)(a) the Authority requires reconcilations at least every 25 business days where records can be “obtained electronically”. For example, where the requisite data can be extracted or fed into a licenceholder’s systems without manual intervention or re-keying. A straight data feed or excel spreadsheet which can be uploaded by way of automatic routine would fall under this definition. However, a .pdf holding statement, for example, may need heavy intervention and so Rule 4.7(3)(b) or (c) may apply. Licenceholders need to acknowledge that circumstances change, and what was only available manually last year may be available electronically this year. Rule 4.7(2) requires an annual documented review of the frequency of custody reconciliations, and any changes to the manner in which records are received needs to be considered as part of this exercise. 4.8 Periodic statements “Provide” includes information being made available on-line via a website.

Isle of Man Financial Services Authority Last updated: January 2024 Page 14 of 34 PART 5 - AUDIT Audit Guidance 5.2(2)(c) Appointment of Auditor It is expected that auditors of Class 1 licenceholders would have PII cover of at least £20 million, and auditors of Class 2 and 3 licenceholders (with the exception of financial advisers and promoters) would have PII cover of at least £10 million. 5.8 Management letter – IOM Incorporated 5.13 Management letter – non-Isle of Man incorporated The wording of these rules simply refers to “management letter or equivalent” ( i.e. no references to ISA 260/265). This generic description covers any written communications between the auditor and those charged with the governance of the licenceholder. 5.10 Contents of audit reports See Rules 5.15, 5.16 and 5.17 for additional requirements. The audit report is due 4 months after the financial year-end, in accordance with the deadline set by Rules 5.6 and 5.16. 5.15 Auditor’s letter – additional requirements for Class 1 The audit letter prepared under Rule 5.15 should be addressed to the Authority but should be sent to the Authority by the licenceholder. Deposit takers which also hold other classes of licence should also refer to Rule 5.16. 5.16 Auditor’s letter 5.17 Auditor’s letter – additional requirements The audit letter prepared under Rule 5.16 and 5.17 should be addressed to the Authority but should be sent to the Authority by the licenceholder. 5.18 Clients’ Assets Report The Authority has prepared some additional guidance (FAQs) for licenceholders here. The frequency of Auditor Review will be in accordance with the Authority’s Risk-Based Approach to Client Assets Reporting. The Authority will communicate initial frequencies with relevant licenceholders. Thereafter, any changes will be advised to licenceholders as required.

Isle of Man Financial Services Authority Last updated: January 2024 Page 15 of 34 PART 6 – CONDUCT OF BUSINESS Conduct of Business Guidance 6.1 Skill care and diligence 6.2 Responsible behaviour in dealings 6.6 Integrity and fair dealing Section 6 of the Financial Services Act 2008 includes that an applicant must demonstrate to the Authority its integrity, competence, financial standing, structure and organisation (and sets out similar requirements for persons who control and manage the applicant). The Licensing Policy for Regulated Activities under the Financial Services Act 2008 explains that this is an ongoing requirement which also applies to licenceholders. Rule 6.1 primarily addresses the requirement to act with competence, in the form of skill care and diligence. Rules 6.2 and 6.6 primarily address the requirement to act with integrity. This includes compliance with legislation, codes and professional standards, and also a general requirement to act openly and fairly. These rules are not limited to dealings with customers. They would also include cooperating fully with other parties such as • Regulators; • Auditors; • Other regulated organisations which are seeking to comply with their obligations. For example, supplying accurate, complete and comprehensive replies to an AML/CFT due diligence request from another business is subject to rules 6.1, 6.2 and 6.6 (without limiting its consequences in other rules or legislation). 6.9 Gifts and other benefits Licenceholders should set their own limits and procedures for compliance with this rule which should be covered in their internal policy. See also Rule 8.9 regarding the obligation to establish a conflicts of interest policy and to consider what constitutes a conflict of interest. It is also good practice to establish a register or other record of gifts received.

Isle of Man Financial Services Authority Last updated: January 2024 Page 16 of 34 6.10 Remuneration This rule relates to the manner in which a licenceholder structures its charges, it does not prohibit cross-subsidisation between individual services provided to a client. Staff remuneration is addressed at Rule 8.7. 6.11 Conflicts of interest – general See Guidance on conflicts of interest policy and related rules. Licenceholders (and particularly holders of Class 4 and Class 5 licences) should note that Rule 6.11 applies not only to "licenceholder to client" conflicts, but also to "client to client" conflicts. Because of the application of Rule 6.11, a Class 4 or Class 5 licenceholder should cover potential "client to client" conflicts in its conflicts of interest policy under Rule 8.9. The policy must include "measures to be adopted to manage such conflicts" under Rule 8.9(4)(a). This should be taken into account in carrying out duties as a director or trustee, for example when considering a transaction between two unrelated client companies. Where "client to client" conflicts occur, they should be recorded in the conflicts of interest register under Rule 8.10. Class 4 licenceholders should also have policies and procedures in place to meet the obligations under company law in respect of conflicts of interest where they supply directors (for example under section 148 of the Companies Act 1931 and similar provisions in other legislation). 6.12 Advertisements – general 6.13 Reference to licensing In order to demonstrate compliance (Rule 8.23(1)(a)) with Rules 6.12 and 6.13, it is good practice to keep a register or other record of advertising, including records of any approval process. A banner or listing as a sponsor of an event would be regarded as an advertisement “which does not mention or relate to a regulated activity” if it states the full company name of the licenceholder and contains no other text or hyperlink. This would include a licenceholder whose name includes an activity, such as “ABC Bank plc” or “XYZ Corporate Services (Isle of Man) Limited”. Further guidance for deposit takers is included within the Guidance note for deposit-takers on deposit advertising. An advertisement which ‘does not mention or relate to a regulated activity’ is covered within this note under ‘simple promotion’. 6.16 Reference to group ownership Further guidance is included within the attached Guidance note for deposit-takers on deposit advertising. 6.18 Limited Advice and 6.19 Restricted Advice See Financial Advisers - sales and advisory 'step-by-step' guidance

Isle of Man Financial Services Authority Last updated: January 2024 Page 17 of 34 6.25 Distribution of transactions among clients This rule addresses late allocation of a principal trade, not principal trading per se. 6.26 Prompt and timely execution Licenceholders will wish to consider where and when the use of discretion over timing is appropriate. For example, the rule would not prevent them from declining to trade outside normal market hours, if their normal terms and conditions prohibited this. The rule does not take precedence over anti-money laundering concerns. See also Financial Advisers - sales and advisory 'step-by-step' guidance 6.27 Best execution This rule applies to the terms of the transaction itself. It does not affect whether the licenceholder can apply a fee or commission in accordance with its terms of business. 6.29 Knowledge of client and 6.30 Knowledge of client – financial advisors See Financial Advisers - sales and advisory 'step-by-step' guidance 6.32 Suitability See Financial Advisers - sales and advisory 'step-by-step' guidance Licenceholders should have appropriate procedures for handling sales to elderly and/or vulnerable customers. The procedures should include an opportunity for the customer (at their request) to bring somebody with them to meetings, such as a friend or family member. 6.37 Disclosure and information In Rule 6.37(2) “sufficient time” was preferred to a fixed timescale, as what is suitable will depend upon the circumstances – for example, the client’s prior knowledge, the complexity of the transaction and even whether the client is travelling or out of contact when the recommendation is made. 6.38 Understanding of risk For the purposes only of Rule 6.38 and Appendix 7 an unregulated collective investment scheme is any scheme which is not approved or authorised in any jurisdiction as being suitable for sale to a retail investor. 6.41 General need for client agreement or terms of business In Rule 6.41(1) the signed document should normally be a signed original however (3) permits an electronic signature to be accepted where there are appropriate systems in place for retention, verification and security. Any licenceholder contemplating a service which involves a web-based approach to customer acceptance should consult the Authority about the application of this rule. See also Financial Advisers - sales and advisory 'step-by-step' guidance.

Isle of Man Financial Services Authority Last updated: January 2024 Page 18 of 34 6.43 Contents of client agreement or terms of business – general See Financial Advisers - sales and advisory 'step-by-step' guidance. 6.50 Contracts to be on-exchange In practice the regulation of investment businesses is almost universal. However, in the event that an overseas person was not subject to a licensing regime in its home jurisdiction, a licenceholder could consider applying for a waiver of Rule 6.50(1)(b). 6.52 Contract note etc See Financial Advisers - sales and advisory 'step-by-step' guidance. 6.53 Interests of scheme to be paramount It is for the governing body of the scheme to consider what disclosure if any should be made in scheme particulars. 6.54 Observance of terms of scheme particulars See also Section 6 of the Collective Investment Schemes Act 2008 and Governance of Collective Investment Schemes - Guidance Note. 6.55 Valuation of investments The Authority endorses the IOSCO/AIMA principles on hedge fund valuation. However, in cases where the constitutional or offering documents clearly stipulate other valuation procedures, these may prevail over the IOSCO/AIMA principles. 6.62 Services to overseas managers or administrators of schemes This new rule introduced with effect from 1 January 2017 requires notification to the Authority where a licenceholder provides services to overseas managers or overseas scheme managers. Licenceholder’s were previously only required to notify the Authority of such services via the quarterly funds statistics (rule 6.72). The licenceholder should ensure that the services to be provided fall within the terms of its licence. Class 3 licenceholders should note in particular that they will need prior consent to the extension of their licence, if the services to be provided fall within Class 3(10) “Providing administration services to the manager or administrator of a collective investment scheme where that manager or administrator is located outside the Island.” The services covered by this rule would be the mirror-image of outsourcing. It describes a situation in which:  A licenceholder provides services which have been outsourced by another party (“the outsourcer”), which may or may not be another licenceholder and/or a related party;  The outsourcer remains responsible for services to the customer; and  The arrangement does not constitute management and administration of another licenceholder under Class 7 or Class 3(9). The licenceholder should conduct due diligence checks into the outsourcer, to establish that it

Isle of Man Financial Services Authority Last updated: January 2024 Page 19 of 34 is a regulated business and subject to AML/CFT requirements comparable to those on the Island. The Rule Book applies to all services to overseas managers or administrators of schemes) with particular emphasis on regulated activities. Licenceholders should consider, amongst other matters, implications for:  Management controls;  Risk management;  Compliance monitoring;  Conflicts of interest;  Business plan; and  Business resumption. 6.64 Client agreement or terms of business As the business relationship progresses, the client with whom the fiduciary contracts may change. For example, in respect of CSP regulated activities, a CSP’s client may initially be the person for whose benefit the client company is to be established, who in due course will be the beneficial owner of the client company. After the client company has been established, a CSP’s client may be the beneficial owner or the client company itself. In the case of a fiduciary engaging in the TSP regulated activity of providing only “trust administration” for a trust, the TSP’s client would be the trustee of the trust. If the fiduciary itself is asked to act as trustee of a trust, its client would initially be the settlor of the trust. However, once the trust is established, the trustee’s responsibilities and duties would be governed by the terms of the trust deed and the trust law of the relevant jurisdiction, and the requirement for a client agreement falls away. However, where a TSP is both the service provider and the trustee, it is considered best practice for the TSP to circulate its terms of business with the trust accounts to whoever is entitled to receive copies of those accounts in order to ensure that anyone with an interest in the accounts is aware of the terms on which the TSP is providing services. The provision of a fees schedule, referenced from the client agreement and/or the terms of business, is one method of complying with the rule. Rule 6.64(2)(a) requires that where charges are time-based the hourly rates (or the bands within which such rates fall) are stated.

Isle of Man Financial Services Authority Last updated: January 2024 Page 20 of 34 6.66 Resignation of licenceholder – Class 4 The timetables in paragraphs (3) (4) and (5) are based on the periods within which the relevant Acts allow companies and foundations to be restored to the register. The Authority would expect licenceholders to keep (at least) any documents which the licenceholder would expect to be necessary for a restored company to function. Many CSPs have a contractual term in their client agreement relating to the retention of documents where fees are unpaid. Rule 6.66 does not prevent the operation of such agreements. However, licenceholders are expected to act reasonably and to take account of the circumstances. When a licenceholder ceases to provide services to a client company, it should endeavour to wind-up the company’s affairs in an orderly manner. Whilst practice varies between jurisdictions, in the Isle of Man abandoning companies in a state of “freefall” is not considered good practice and should be regarded as a last resort. It is recognised that circumstances may arise in which an orderly winding-up is not possible, but the Authority would expect any such abandonment of companies to be exceptional and the reasons to be documented. The Companies Act 1931 includes at section 273A a simple and inexpensive dissolution procedure for solvent Isle of Man companies. 6.72 Provision of statistical information Statistical information required by the Authority can be found on the Compliance Support page and the Returns/Forms page. 6.73 Structured deposits – disclosure of product particulars Further guidance is included within the attached Guidance note for deposit-takers on OTC Derivatives and Structured Deposits. 6.74 Structured deposits – depositor interaction Further guidance is included within the attached Guidance note for deposit-takers on OTC Derivatives and Structured Deposits.

Isle of Man Financial Services Authority Last updated: January 2024 Page 21 of 34 PART 7 – ADMINISTRATION Administration Guidance 7.2 Registration of business name Relevant business/trading names are shown on the licenceholder register on the Authority’s website. Relevant business/trading names are those that are actively used by licenceholders for promoting, or conducting, activities regulated by the Authority. These names are shown for the benefit of consumers. 7.3 Ownership and structure matters – Isle of Man incorporated and 7.4 Ownership and structure matters – non-Isle of Man incorporated This rule sets out a variety of changes in the ownership, capital structure or assets and liabilities of a licenceholder which are subject to a requirement that the Authority is notified or gives consent. Broadly speaking, the most significant changes are subject to consent and the lesser changes are notified. See the Consent and Notification Summary Table for further guidance. The Authority expects licenceholders to supply supporting and background information. The type of information that is expected is set out within the extended Guidance - Rules 7.3 to 7.8. The objective of Rules 7.3(6)(a) and 7.4(5)(a); where a licenceholder has acquired clients of another licenceholder, is to ensure that the licenceholder understands what services the client expects and any limitations imposed by the client. As soon as possible after taking on new clients, the licenceholder should be in a position to demonstrate compliance with the relevant provisions of Part 6 of the Rule Book. For example, in accordance with Rule 6.11(1)(b) a licenceholder needs to identify conflicts of interest between acquired clients and existing clients. If an existing company is to be utilised as a trading or nominee company, this should be treated as establishing a new trading subsidiary or forming a nominee for the purposes of Rule 7.3(1)(d) and 7.3(2)(e). 7.5 Merger, takeover and purchase notification requirements and 7.6 Merger, takeover and purchase consent requirements See further Guidance - Rules 7.3 to 7.8.

Isle of Man Financial Services Authority Last updated: January 2024 Page 22 of 34 7.7 Further ownership and structure matters – Isle of Man incorporated and 7.8 Further ownership and structure matters – non-Isle of Man incorporated See further Guidance - Rules 7.3 to 7.8. 7.9 New appointments and departures from office Please refer to the Fitness & Propriety Assessment Forms area of the Authority’s website. With effect from 1 August 2018, there is a new Rule 7.9(4) requiring that “notified only” appointments are notified to the Authority within 10 business days following the date of the appointment. The F&P2 Notification Only Form should be used accordingly. It is expected that a licenceholder will use its judgement to determine if there is a significant issue in relation to the departure of a member of staff which should be disclosed to the Authority. The Authority may request an interview, particularly where a Head of Compliance resigns. Definitions of terms used in this rule can be found as follows: Head of Compliance - Rules 8.21 and 8.23; MLRO and deputy MLRO – Rule 8.21; Controller – Section 48 of the Act; Director – Section 48 of the Act; Further guidance can be found in the Authority’s Training and Competence Framework and Regulatory Guidance - Fitness and Propriety. The Authority recognises that circumstances outside the control of a licenceholder can occur in which it is necessary to fill a vacant role urgently and it is impractical to provide the prior notice required by Rule 7.9. This is addressed by the provisions contained in Rule 7.10. 7.12 Fitness and propriety The assessment of the fitness and propriety of individuals includes the consideration of any adverse information regarding the individual’s activities in related or external businesses, personal activities that result in criminal or civil litigation or media attention, and any attempts by the individual to conceal such information from the licenceholder. See also Rule 7.13 Staff disciplinary action and Rule 8.18 Fraud or dishonesty.

Isle of Man Financial Services Authority Last updated: January 2024 Page 23 of 34 7.13 Staff disciplinary action The purpose of this requirement is to inform the Authority at an early stage of any event that could potentially affect the licenceholder's reputation or financial soundness. The licenceholder should use its own human resources policy to determine what should be disclosed as "serious disciplinary action", but the Authority would expect it to include at least any action which could lead to suspension or termination of the person’s employment and which involved dishonesty or contravened measures for the protection of customers. See also further Guidance - Staff Disciplinary Action. 7.15 Service of notice etc The notifications required under this rule are limited. To avoid passing notifications to the Authority that are not required, licenceholders should make sure that the following four key tests are met before making a notification to the Authority:-  the service of the “request” is made by a constable or member of the Attorney General’s Chambers; and  the “request” is made under criminal statute in the Isle of Man; and  the “request” is made for the purpose of obtaining evidence; and  the “request” is in relation to a criminal investigation or criminal proceedings. When the above four tests are met, notifications should be made irrespective of whether the criminal investigation or criminal proceedings are against the licenceholder or a customer of the licenceholder. For the purpose of this rule, the “action against the licenceholder” is purely the action of serving the request. A common example that is likely to be caught by the notification requirement includes requests made under s21 of the Criminal Justice Act 1991, including letters of request from the Attorney General’s Chambers where “it is likely that assistance will be granted”. For the avoidance of any doubt, the term “request” in Rule 7.15 does not include a request for information issued by the Isle of Man’s Financial Intelligence Unit to a licenceholder under section 18(4) of the Financial Intelligence Unit Act 2016 (“a s18 FIU Request”). A licenceholder must not disclose a copy or details of a s18 FIU Request to the Authority without the consent of the FIU.

Isle of Man Financial Services Authority Last updated: January 2024 Page 24 of 34 7.17 Surrender of licence The Authority will not accept the surrender of a licence until the licenceholder has made satisfactory arrangements for its clients’ affairs to be handed over properly to another licenceholder(s), and until it has completed those arrangements in full, or alternatively where clients’ affairs are fully wound up to the satisfaction of those clients. For a Class 5 licenceholder this includes satisfactory arrangements in respect of any trust for which it undertakes any regulated activity. The licenceholder should explain its proposed arrangements for the retention of records, to comply with Rules 8.27, and 8.58 and AML/CFT requirements. The Authority would expect the licenceholder to supply supporting and background information for a surrender; further guidance covering the type of information that would be expected is set out here: Surrender Guidance. 7.18 Cessation of regulated activities If a licenceholder is proposing to cease a type of regulated activity (but not to surrender its licence under Rule 7.17) the Authority will expect the licenceholder to update its business plan to reflect the change, and also to ensure that satisfactory arrangements for its affected clients’ affairs are made and completed before the regulated activity can cease (see guidance to Rule 7.17 above). 7.21 and 7.22 Legal proceedings The Authority acknowledges that the inclusion of “intended” involves a subjective assessment by the licenceholder of a third party’s state of mind. Licenceholders may, however, prefer to err on the side of caution in deciding what should be disclosed, particularly as the rule already includes a materiality threshold.

Isle of Man Financial Services Authority Last updated: January 2024 Page 25 of 34 PART 8 - RISK MANAGEMENT AND INTERNAL CONTROL Risk Management and Internal Control Guidance 8.2 Corporate governance Corporate governance guidance documents are available for banks and for non-bank licenceholders. Generally there ought to be a balance between executive and non-executive directors, and at least two Isle of Man resident executive directors. Licenceholders which have trading subsidiaries should note the obligation under Rule 8.6 to take them into account in the risk management process. 8.3 Management Controls Licenceholders should note the use of “appropriate” in Rule 8.3(2). The responsible officers should take account of the scale and complexity of the business in determining the level of controls and procedures that are relevant to the business. In setting internal standards under Rule 8.3(4), licenceholders should have regard to the Authority’s Training and Competence Framework. The Authority considers Discretionary Management to include the giving of financial advice for the purpose of Rule 8.3(4)(c). Licenceholders which have trading subsidiaries should note the obligation under Rule 8.6(2)(a) to take them into account in the risk management process. See also Guidance on directorships, trusteeships and similar responsibilities held by directors and individuals in 'controlled functions' and Governance of Collective Investment Schemes - Guidance Note. 8.4 Compliance with obligations For example, any set of standards or good practice guidelines promulgated by a relevant local licenceholder professional association. 8.5 Continuing professional development (“CPD”) Further information on CPD can be found in the Training and Competence Framework. Examples of how CPD could be achieved by individuals, who are not members of a professional body with a CPD requirement, can be found in the attached chart. The Authority expects part-time staff to meet the full CPD requirement. However, subject to professional body requirements, where staff are absent for several months (for example, on maternity leave or due to illness) it is recognised that it might not be practical for them to achieve their full CPD requirement in that year. Where staff move into a Controlled Function role part way through the year, subject to professional body requirements, the CPD requirement should be pro-rated. Rule 8.5(1)-(3) “per annum” should be interpreted to mean

Isle of Man Financial Services Authority Last updated: January 2024 Page 26 of 34 either a calendar year or any 12 month period. It should be clear in a licenceholder’s records what 12 month period is being utilised. Rules 8.3(4)(C) and 8.5(2)(4): The Authority considers Discretionary Management to include the giving of financial advice for the purpose of this rule. 8.6 Risk management Risk management encompasses the process of identifying key risks, measuring and monitoring exposures to those risks, taking steps to control / mitigate risks and appropriate reporting to senior management and the board. Internal controls are designed to ensure that each key risk has a process or other measure to help contain or control the risk and that such process or measure is applied properly and works as intended. Even in very small licenceholders key management decisions should be taken by more than one person. The principles below should also be considered by smaller licenceholders, where relevant. Where a licenceholder is of sufficient size to warrant a risk management function, the risk management function should be responsible for identifying, measuring, monitoring, controlling or mitigating, and reporting on risk exposures. Where possible, the risk management function should be sufficiently independent of the business units whose activities and exposures it reviews. It is however important that risk managers are not isolated from business units and it is recognised that it is not uncommon for risk managers to work closely with individual business units and to have dual reporting lines. The risk management function should ultimately be responsible to the board and issues raised by it should receive the appropriate attention from the board and senior management. The function should be adequately resourced both from a systems and staffing perspective (including managers who possess sufficient experience, knowledge and qualifications where appropriate). Risks should be identified and monitored appropriately in accordance with the licenceholder’s risk profile and there should be reporting to the board and senior management. The risk management function should promote the importance of senior management and business line managers in identifying and assessing risks critically. The risk management function should be actively involved in assessing risks that could arise from mergers and acquisitions and should report findings to the board. In particular, risks can arise from conducting insufficient due diligence that fails to identify risks that emerge post-

Isle of Man Financial Services Authority Last updated: January 2024 Page 27 of 34 merger. Reporting to the board (and or committees) and senior management, information should be communicated in a timely, complete, understandable and accurate manner to enable the board to make informed decisions and, where necessary, take prompt action. There should be a balance between communicating information that is accurate and unfiltered (i.e. does not hide potential bad news) and not communicating so much that the sheer volume becomes counterproductive. Risk reporting to the board should ensure that risks are conveyed in a meaningful manner. Market conditions and trends should also be taken into account where applicable. Where the licenceholder has lines of business which are wholly or partly driven by tax considerations, the assessment of risks in the external environment should address risks arising from changes in the relevant tax regime or its application and any reputational damage the schemes could cause for the licenceholder and the Island. 8.7 Remuneration policy Guidance on corporate governance for banks contains additional guidance on remuneration policies, specifically for Class 1 licenceholders. A licenceholder’s remuneration policy should identify how staff, those contracted to work on behalf of the company, senior management and executive board members are rewarded for their employment. Where applicable, it should include reference to performance related pay, bonus payments, and sales incentive schemes. With particular regard to licenceholders that conduct investment business activities, incentive schemes must be properly controlled and must not be structured in such a way that could create risks of staff selling products to clients that they do not want or are not appropriate. The risks that incentive schemes pose should be identified and managed properly. 8.8 Whistleblowing policy See also Whistleblowing Frequently Asked Questions and A Brief Guide to Whistleblowing. 8.9 Conflicts of interest policy See Guidance on conflicts of interest policy and related rules. The Rule Book does not define a conflict of interest as the Authority does not believe that it could usefully define the term in more detail than an ordinary dictionary definition such as “a conflict between a person's private interests and public obligations” (answers.com). Readers should also note Rule 6.11 which addresses borrowing from clients. Additional guidance for Class 1 licenceholders is available in the corporate governance guidance document for banks.

Isle of Man Financial Services Authority Last updated: January 2024 Page 28 of 34 8.10 Conflicts of interest register The Authority has prepared a template Conflicts of Interest register which licenceholders may use if they wish. This is not a statutory document and its use is not obligatory. Licenceholders may also wish to maintain a register of ‘outside interests’ to assist in the identification of potential conflicts of interest. 8.11 Business plan The Authority has issued extended Guidance - Rule 8.11. The extent and complexity of a business plan will vary according to the scale and complexity of the business, and in reviewing the content of the business plan the Authority will consider the risks that might be posed to a licenceholder, its customers, and the integrity of the Isle of Man financial system by deficiencies in the business plan. 8.13 Changes to activities, services or products The Authority's Licensing Policy includes at paragraph 2.1.5 “An applicant should restrict its activities to the regulated activities which it is licensed to conduct and other wholly incidental activities. If an applicant or licenceholder plans to conduct ANY activities other than those regulated activities for which it has applied for/holds a licence, it must pre-notify the IoMFSA per Rule 8.13 of the Rule Book. This applies both to activities for which a licence is required as well as any other activities” [A footnote gives illustrations such as sub-letting premises, catering, vehicle hire, travel services, office cleaning etc]. Rule 8.13(d) requires notification of activities that are not regulated by the Authority that a licenceholder commences, materially changes, or ceases undertaking. Such activities may include activities that are licensed, registered or regulated by the Office of Fair Trading, the Gambling Supervision Commission, or other authorities; DNFBP activities; unregulated new business lines; trading ventures or overseas ventures. A licenceholder should consider paragraph 2.1.5 of the Licensing Policy before putting forward any proposal for an activity which is outside the regulated activities that it is licensed to conduct. Deposit takers are advised as follows. The Authority expects to be notified of any new product or service or change to a product or service that impacts the licenceholder’s risk profile for liquidity, credit, interest rate risk, foreign exchange risk or operational risk. This is for prudential supervisory purposes. As such the Authority expects to be notified of:  Completely new business activities e.g. diversifying into lending;  New products e.g. new currency account, structured products where the bank is issuing structured products for the first time; and  Any changes in product or service that impact the risk profile (see above).

Isle of Man Financial Services Authority Last updated: January 2024 Page 29 of 34 In addition, the Authority expects to be notified of any change to an existing structured product and to be provided with a copy of the marketing literature. The Authority’s focus is to ensure that the product is being promoted in a way that is fair and accurate. The fact that the Authority has been notified and has raised no objections should not be regarded as an endorsement or approval of the product or service. Further guidance for deposit takers is provided in the Guidance note on OTC Derivatives and Structured Products and the Guidance note for deposit takers in relation to Fiduciary Deposits. 8.14 Business resumption and contingency arrangements The licenceholder should take account of the scale and complexity of the business in determining what arrangements are appropriate. The UK Government Business Continuity Management Toolkit comments “The frequency of exercises will depend on your organisation, but should take into account the rate of change (to the organisation or risk profile), and outcomes of previous exercises (if particular weaknesses have been identified and changes made). As a minimum we would suggest plans are exercised annually.” 8.16 Delegation of function including outsourcing Please refer to the Guidance Notes on Outsourcing/Delegation of Functions. Rule 8.16 requires that any such arrangements are documented in an agreement which covers the respective responsibilities and duties and the provisions for termination of the agreement. The Authority may inspect such agreements and the activities conducted under them. Management and administration of another licenceholder under Class 7 or Class 3(9) is addressed by Rule 8.12. 8.17 Breaches of regulatory requirements A link to a briefing document on materiality of rule breaches is available here. The Authority has prepared a Template Breaches Register which licenceholders may use if they wish. This is not a statutory document and its use is not obligatory. 8.18 Fraud or dishonesty The purpose of this requirement is to inform the Authority at an early stage of any event that could potentially affect the licenceholder’s reputation or financial soundness. The Authority expects its licenceholders to report acts of fraud or dishonesty (whether undertaken or identified in the course of business or not) of its employees and directors irrespective of their seniority. The records of individuals’ names will assist the Authority in vetting persons for future key staff positions. The Authority will also consider whether there are material concerns arising from the event in respect of administrative or controls breakdowns. Refer also to Rule 7.12 Fitness and propriety and Rule 7.13 Staff disciplinary action.

Isle of Man Financial Services Authority Last updated: January 2024 Page 30 of 34 8.21 Head of Compliance and MLRO The rule does not prevent the Head of Compliance having another job title such as “Compliance Manager” but does require that a person be appointed and identified as having that role. 8.25 Isle of Man resident officers In this rule "day to day" means on a routine or daily basis. 8.26 Company Secretary This rule has been removed. The Company Secretary of an Isle of Man incorporated regulated entity is now an R9 Controlled Function (notified only appointment). Please refer to the Fitness and Propriety Assessment Guidance area of the Authority’s website. 8.27 Systems and controls for record keeping The attached document cross-references the Rule Book requirements for Record Keeping. 8.28 Clients’ records The attached document cross-references the Rule Book requirements for Record Keeping. With effect from 1 January 2017, recordings of telephone conversations form part of the records of certain Class 2 and Class 3 regulated activities i.e. in relation to sales of investments. Such records should be easily made available to the Authority on request. 8.30 Relations with regulators If a licenceholder receives a request for an employment reference from the Authority or from a financial services regulator in another jurisdiction, the licenceholder should:

1. respond promptly; and,
2. set out all disclosable matters which the licenceholder believes to be relevant and true, including details of any serious disciplinary action against the member of staff. 8.31 Annual Regulatory Returns Annual regulatory returns and checklists to assist with the completion of the returns are available on the Compliance Support page and the Returns/Forms page of the Authority’s website. Rule 8.31(5) – As outlined in the Authority’s Procedural Instructions for Financial Returns, Chapter 7, “the licenceholder should maintain liquid capital to be able to fund the excess on one potential claim on the PI insurance policy, except where a letter of support is in place from a group company when an amount of zero may be entered.” This must be agreed in advance with the Authority”. A Letter of Comfort would usually be considered where it is being issued due to a high group PII excess. It is expected that, as a minimum, the provider is able to demonstrate that it has a positive net current asset position.

Isle of Man Financial Services Authority Last updated: January 2024 Page 31 of 34 8.32 Complaints Licenceholders should review the Advice to suppliers on complaints handling and the Financial Services Ombudsman Scheme published by the OFT. Rule 8.32(1)(b) refers to an acknowledgement being provided within 7 days of receipt. To clarify, this means 7 working days. Rule 8.32(1)(c)(ii) requires that where a complaint concerns financial advice, that the person reviewing the complaint"holds the appropriate level of qualification to provide financial advice”. The Rule Book does not define the appropriate level of qualification, but the Authority’s Training and Competence framework provides information on the qualifications and experience necessary to be a financial adviser on the Isle of Man; i.e. Level 4 RDR compliant investment qualification. Consideration therefore needs to be given to the relevant experience and qualifications held by the person(s) within the firm dealing with investment complaints. In smaller firms, it may be necessary to seek the services of their locum or another local advisory firm that holds the relevant Class 2 licence permissions. The Authority has prepared a template complaints register which licenceholders may use if they wish. This is not a statutory document and its use is not obligatory. Where there is a systemic issue (such as PPI) that generates a number of complaints that cannot reasonably be resolved within 8 weeks, the Authority may request a general notification and statistics rather than information regarding individual cases. Following notification of an unresolved complaint within 8 weeks, the licenceholder should provide regular updates on the status of the complaint until it is resolved. 8.34 Internal Audit Rule 8.34 supplements Rule 8.6 Risk management and contains more specific internal audit requirements for banks. The corporate governance guidance for banks contains further guidance on internal audit functions. The Authority expects that the Board of directors or, in the case of an IOM branch(es) of an overseas bank, the responsible officers in conjunction with group internal audit/ risk, will review internal audit arrangements at least annually to ensure that they remain appropriate for the size and nature of the licenceholder’s operations. Whilst it is not a regulatory requirement to provide a copy of internal audit reports, the Authority is interested in the work of internal audit functions and the output of internal audit reviews.

Isle of Man Financial Services Authority Last updated: January 2024 Page 32 of 34 8.35 Corporate governance See The guidance note for deposit-takers 8.36 Credit Risk Policy See The guidance note for deposit-takers on Credit risk, Arrears and Provisions Management 8.38 Large exposures policy and 8.36 Large exposure management The guidance note for deposit-takers on Large Exposures is attached 8.43 Liquidity policy and 8.44 Liquidity management The guidance note for deposit-takers on Liquidity Risk Management is attached 8.45 Foreign exchange risk The guidance note for deposit-takers on Foreign Exchange Risk Management is attached 8.46 Interest rate risk The guidance note for deposit-takers on Interest Rate Risk Management is attached 8.49 Credit Risk Policy See The guidance note for deposit-takers on Credit risk, Arrears and Provisions Management 8.51 Large exposures The guidance note for deposit-takers on Large Exposures is attached 8.53 Liquidity policy and 8.54 Liquidity management The guidance note for deposit-takers on Liquidity Risk Management is attached 8.55 Foreign exchange risk The guidance note for deposit-takers on Foreign Exchange Risk Management is attached 8.56 Interest rate risk The guidance note for deposit-takers on Interest Rate Risk Management is attached 8.57 Professional Indemnity Insurance (“PII”) Paragraph 1 of the rule prioritises appropriateness over the tabulated figures, which means that simply meeting the amount in the table will be insufficient if that amount is not considered appropriate to the particular business. PII cover may be part of a group policy. Where it is, the amount and nature of cover should be appropriate to the insurance needs of the licenceholder and the group. There is no requirement in the rule concerning the amount of the PII excess. However, the amount of the PII excess is deducted in the financial resources calculation; see Appendix 3 Part D and note 18. If a parental assurance has been accepted by the Authority, a zero may be input to the calculation, however, if a licenceholder A pays the excess of licenceholder B then both excesses must be deducted from licenceholder A’s liquid capital. Deposit takers which do not carry PII are required to make appropriate provision for the risks of their non-deposit-taking business in their ICAAP calculations. Licenceholders should note that the turnover requirement in Rule 8.57(3) is based on turnover for the most recent financial year, not the most recent audited financial statements. In respect of paragraph (8): the Authority may require a licenceholder to hold run-off PII cover in respect of claims arising from past acts or omissions. 8.60 Pricing errors The Authority has prepared a Proforma pricing errors register which licenceholders may use if they wish. This is not a statutory document and its use is not obligatory. See also CIS pricing errors longer form summary

Isle of Man Financial Services Authority Last updated: January 2024 Page 33 of 34 8.62 Provision of officers A CSP should ensure that its directors of client companies are aware of the duties and obligations of the office of director under the laws of the client company’s jurisdiction of registration, and that they are aware that in performing the functions of such office, they have a personal responsibility. If necessary, legal advice should be sought. The Authority has issued Guidance on the responsibilities and duties of directors under the laws of the Isle of Man and there are other publications available giving guidance with regard to the duties and responsibilities of directors. See also Guidance on directorships, trusteeships and similar responsibilities held by directors and individuals in 'controlled functions'. 8.63 Internal Audit Rule 8.63 supplements Rule 8.6 Risk management and contains more specific internal audit requirements for stockbrokers. Stockbrokers may find the extended Guidance - Banks Corporate Governance useful when considering their arrangements. The Authority expects that the Board of directors or, in the case of an IOM branch(es) of an overseas bank, the responsible officers in conjunction with group internal audit/ risk, will review internal audit arrangements at least annually to ensure that they remain appropriate for the size and nature of the licenceholder’s operations. Whilst it is not a regulatory requirement to provide a copy of internal audit reports, the Authority is interested in the work of internal audit functions and the output of internal audit reviews.

Isle of Man Financial Services Authority Last updated: January 2024 Page 34 of 34 PART 9 – PROFESSIONAL OFFICERS Professional Officers Guidance 9.3(f)(i)(ii) Skill, care and responsible behaviour Information about professional bodies and trade associations on the Island is included in the Authority’s links to external material. Professional Officers should set their own limits and procedures for compliance with sub￾paragraph (g) which should be covered in their internal policy. See also Rule 9.21 regarding the obligation to establish a conflicts of interest policy and to consider what constitutes a conflict of interest. 9.24 Professional indemnity insurance Where a Professional Officer is providing services to a corporate services or trust services licenceholder, he or she should clarify whether this is covered under their own or the other licenceholder’s PII (and ensure that one applies). 9.27 Surrender of licence See extended Guidance - Rules 7.17 and 9.27. VERSION CONTROL Date updated Section Comments 22.10.2018 Part 6, Rule 6.1, 6.2 and 6.6 New guidance issued 24.06.2020 Part 7, Rule 7.15 New guidance issued 22.01.2024 Part 2, Rule 2.32 Removed reference to audit exceptions (no longer available) 22.01.2024 Part 6, Rule 6.72 Simplified text, to reference to applicable website support pages 22.01.2024 Part 8, Rule 8.31 Added additional link to website support pages