Isle of Man Financial Services Authority Long Term Insurers Sector Specific AML/CFT Guidance Notes

Isle of Man Financial Services Authority Version 2 Page 1 of 25 Last updated November 2021 Long term insurers Sector Specific AML/CFT Guidance Notes November 2021 Whilst this publication has been prepared by the Financial Services Authority, it is not a legal document and should not be relied upon in respect of points of law. Reference for that purpose should be made to the appropriate statutory provisions. Contact: AML/CFT Division Financial Services Authority PO Box 58 Finch Hill House Bucks Road Douglas Isle of Man IM99 1DT Tel: 01624 646000 Email: aml@iomfsa.im Website: www.iomfsa.im

Isle of Man Financial Services Authority Version 2 Page 2 of 25 Last updated November 2021 Contents Version history ........................................................................................................................................4

1. Foreword.........................................................................................................................................5
2. Introduction ................................................................................................................................5 2.1 National Risk Assessment .......................................................................................................6 2.2 Context of the sector ..............................................................................................................6
3. Use of intermediaries..................................................................................................................7 3.1 Regulated introducer..............................................................................................................8 3.2 Appointed representative.......................................................................................................9
4. Risk guidance ..............................................................................................................................9 4.1 General higher risk indicators...............................................................................................10 4.2 Red flags................................................................................................................................12 4.3 Additional risk factors...........................................................................................................12 4.3.1 Customer risk factors....................................................................................................13 4.3.2 Product risk factors.......................................................................................................13 4.3.3 Distribution channel risk factors...................................................................................14 4.3.4 Geographical risk factors ..............................................................................................14 4.3.5 Intermediary risk factors...............................................................................................14
5. Customer Due Diligence (“CDD”)..................................................................................................14 5.1 CDD in the sector..................................................................................................................15 5.2 Suitable certifier regime .......................................................................................................15 5.3 Cooling off and cancellation periods ....................................................................................16 5.4 Specific Code requirements in relation to insurers ..............................................................16 5.5 Share exchange.....................................................................................................................18
6. Simplified CDD measures..............................................................................................................18 20 Insurance..........................................................................................................................................19
7. Ongoing monitoring......................................................................................................................20 7.1 Trigger event monitoring ......................................................................................................20 7.2 Monitoring of higher risk relationships ................................................................................21 7.3 Monitoring of PEP relationships ...........................................................................................21 7.4 Regular payments.................................................................................................................22

Isle of Man Financial Services Authority Version 2 Page 3 of 25 Last updated November 2021 7.5 Subsequent business transactions........................................................................................22 7.5.1 Subsequent business transactions - cases with an introducer certificate...........................23 8. MLRO function ..............................................................................................................................24 9. Glossary.........................................................................................................................................24

Isle of Man Financial Services Authority Version 2 Page 4 of 25 Last updated November 2021 Version history Version 2 (November 2021) Updates to reflect changes to the main structure of the AML/CFT Handbook Updates to footnotes to include links in the main body for consistency purposes Amendments throughout to ensure consistency across all sector specific guidance Historic sections relating to introduced business, suitable certifier regime and different types moved to the Long term insurers Supplemental Information Document.

Isle of Man Financial Services Authority Version 2 Page 5 of 25 Last updated November 2021

1. Foreword This sector specific guidance document refers to activity undertaken by all insurers writing long term business as defined in Regulation 4 of the Insurance Regulations 2018. An insurer refers to a person authorised to carry on insurance business under section 8 of the Insurance Act 2008, or to whom a permit is issued under section 22 of that Act, of Class 1 and/or Class 2 (long term business) as defined in the Insurance Regulations 2018.
2. Introduction The purpose of this document is to provide some guidance specifically for insurers in relation to anti-money laundering and countering the financing of terrorism (“AML/CFT”). This document should be read in conjunction with both the Anti-Money Laundering and Countering the Financing of Terrorism Code 2019 (“the Code”) and the main body of the AML/CFT Handbook (“the Handbook”). Though the guidance in the Handbook, and this sector guidance, is neither legislation nor constitutes legal advice, it is persuasive in respect of contraventions of AML/CFT legislation dealt with criminally, by way of civil penalty or in respect of the Authority’s considerations of a relevant person’s(as such term is defined in paragraph 3 of the Code) regulatory / registered status and the fit and proper status of its owners and key staff where appropriate. An insurer must be in compliance with the Code at all times. If an insurer identifies a matter that is in contravention of the Code this must be notified to the Authority as soon as possible, in line with the requirements of paragraph 74(2) of the Corporate Governance Code of Practice for Commercial Insurers1 . In relation to the insurance sector, there are certain sections of this document which insurers may wish to refer to instead of (or alongside) the guidance included in the Handbook. Section Corresponding paragraph in the Handbook 3.1 & 3.2 Regulated introducer N/A – the particular concept of a “regulated introducer” is not covered in the main handbook However, this section should be read in conjunction with section 2.2.10 of the Handbook (introduced business). The Long term insurers Supplemental Information Document also provides additional detail on introduced business.

1 SD No. 2018/0247

Isle of Man Financial Services Authority Version 2 Page 6 of 25 Last updated November 2021 5.2 Suitable certifier regime 3.3.4.4 of the Handbook and the Long term insurers Supplemental Information Document provide further detail regarding hard copy verification and certification specifically for insurers. 8 MLRO function Chapter 5 of the Handbook provides additional guidance regarding the MLRO function. 9 Glossary In addition to the glossary provided in relation to the AML/CFT guidance a further glossary is provided for insurers within this document. The Authority recommends that insurers familiarise themselves with the FATF Risk-based Approach Guidance for the Life Insurance Sector and any other relevant typology reports concerning the sector. 2.1 National Risk Assessment The Island’s National Risk Assessment (“NRA”) was published in 2015 and was updated in 2020. Insurers must ensure their business risk assessment (and customer risk assessments where necessary) take into account any relevant findings of the NRA. In relation to the main vulnerability of the sector, there is a risk that funds used to purchase life insurance may be proceeds of crime. There is also a risk, however limited, that funds withdrawn from life insurance contracts could be used to fund terrorism. The NRA sets out the main risks and vulnerabilities in detail. Overall, after applying consideration of the control and other preventative measures in place, together with the product weightings (explained in the NRA), the life sector is assessed as having a Medium level of vulnerability for ML and a Medium level of vulnerability for TF. 2.2 Context of the sector Long term business, such as life insurance products are designed to financially protect the customer2 and related third parties, which may include the insured, the beneficiary(/ies) of the contract, and the beneficial owners, against the risk of an uncertain future event such as death or critical illness. Life insurance products can also be bought as investment or saving vehicles and to support estate planning or pension plans. The Island’s long term sector is predominantly unit linked investment insurance business.

2 For ease of reference the term “customer” will be used throughout this guidance document, however this may also include requirements to be placed on the beneficial owner / beneficiaries / connected parties depending on the requirements included in paragraph 12 (Beneficial Ownership and Control) of the Code.

Isle of Man Financial Services Authority Version 2 Page 7 of 25 Last updated November 2021 Most life insurance products are designed for the long term and some will only pay out on the occurrence of a verifiable event, such as death or retirement. However, the majority of products offered by Isle of Man insurers have saving or investment features, which may include the options for full and/or partial withdrawals or surrenders at any time. Life insurance policies can be individual policies, corporate / trust based policies or group policies (for example, companies may provide life insurance for their employees as part of a benefits package).3 This document will cover unique ML/FT risks that may be faced by the sector and will provide further guidance in respect of customer due diligence (“CDD”) measures where a “one size fits all” approach may not work. Please see section 4 of this guidance for further details in relation to the risk profile of the sector and the types of products that may be sold. 3. Use of intermediaries The majority of insurers operate a customer relationship, and distribute products and services, through another party such as an intermediary or “introducer4 ”. An introducer is defined in the Code as: 3 Interpretation a person (“the introducer”) who provides elements of customer due diligence to a relevant person on behalf of a customer under the circumstances covered in paragraph 9 (introduced business). However, reliance in relation to the customer due diligence is not placed on an introducer within the meaning of paragraph 19 (eligible introducers); As per paragraph 9 of the Code (Introduced Business) a customer risk assessment must be undertaken in accordance with paragraph 6 of the Code, which takes into account the involvement of any third parties involved in the process when forming a customer relationship. As set out in paragraph 9(4) of the Code, this risk assessment must include and take into account: 9 Introduced business (4) The risk assessment must include and take into account - (a) a risk assessment of the introducer; (b) whether the introducer has met the customer;

3 FATF Guidance for a Risk Based Approach for the Life Insurance Sector 4 The term introducer has a particular meaning in the insurance sector (see glossary), however it should be noted that this is a defined term in the Code.

Isle of Man Financial Services Authority Version 2 Page 8 of 25 Last updated November 2021 (c) whether any elements of customer due diligence provided by the introducer have been obtained by the introducer — (i) directly from the customer; or (ii) from any third parties; and (d) if sub-paragraph (4)(c)(ii) applies, indicate — (i) how many third parties were involved in the process; (ii) who those third parties were; (iii) whether any of those third parties have met the customer; (iv) whether any third party is a trusted person; and (v) whether in the case of any third parties located outside of the Island, they are located in a List C jurisdiction. In addition to the Code requirements that apply, please see the guidance provided in section 2.2.10 of the Handbook and the Long term insurers Supplemental Information Document. Where paragraph 9 of the Code is applicable, both this guidance document and the supplemental information relating to “introduced business” should be referred to instead of the measures included at section 3.1 and 3.2 of this document. Also, additional details in relation to some of the risk factors to be considered are included at section 4.7 of this document. It should be noted that as stated in the Code at paragraph 4(3): 4 Procedures and Controls (3) the ultimate responsibility for compliance with the Code is that of the relevant person, regardless of any outsourcing or reliance on third parties during the process. As explained above the responsibility for Code compliance is that of the relevant person. The relevant person however should ensure that any introducer used is made aware of the requirements of the Code. 3.1 Regulated introducer Where an insurer receives an application for a business relationship through an introducer (as per the Code definition), who also falls within the definition of a “regulated introducer” (see glossary), and there are no third parties involved in the process, the regulated introducer may provide:

Isle of Man Financial Services Authority Version 2 Page 9 of 25 Last updated November 2021  a copy of the documents held on the regulated introducer’s file which the regulated introducer has used (historically) to verify the identity of the party. The Authority expects that any documents provided should have been certified within the last year and that the document(s) were valid at the time of production. Such a copy document may be accepted provided that the information on that verification document is the same as the application form and provided that the information supplied is detailed enough to meet the Code requirements in relation to identification and verification; or  originals or copies of documents obtained specifically in relation to the particular application for business. Any verification of identity passed to the insurer should be certified by the regulated introducer as being a true copy of either an original or copy document held on its file as appropriate. If this verification of identity is not provided by the regulated introducer, the insurer must obtain the verification of identity from the customer directly and comply with the relevant requirements of the Code. If reliance is placed on an introducer to hold the verification of identity i.e. copies of such documentation are not provided to the insurer, the eligible introducer provisions of the Code must be complied with (paragraph 19). 3.2 Appointed representative For the purposes of this guidance the treatment of business introduced by an appointed representative is the same as the treatment applicable to any other introducer. See section 3.1 above. 4. Risk guidance The insurance industry is a broad sector and the ML/FT risks will vary for each business based on a wide range of factors such as the type of products they supply, their customers and the delivery channels used. Vigilance should govern all aspects of a relevant person’s dealings with its customers. Part 3 of the Code sets out the requirements for relevant persons to undertake customer, business and technological risk assessments. Once the relevant person has assessed the ML/FT risks, appropriate controls proportionate to the risks identified must be developed and

Isle of Man Financial Services Authority Version 2 Page 10 of 25 Last updated November 2021 implemented. The sections below set out some risk factors for the sector to consider when undertaking and maintaining these risk assessments. It should be remembered that risk assessments can change. In relation to a customer risk assessment, for example, this would need to be amended if a customer with only low risk products subsequently purchases a higher risk product. In relation to a business risk assessment, for example, this may change if there are product or technology changes within the business. 4.1 General higher risk indicators As with the basic elements of a risk assessment (see chapter 2 of the Handbook), the following activities may increase the risk of the relationship. Just because an activity / scenario is listed below it does not automatically make the relationship high risk. The customer’s rationale and nature / purpose of the business relationship alongside controls that are in place should be considered in all cases. If a business is unable to obtain a satisfactory explanation from a customer in the event of any situation, feature, or activities, or in case of any other concern, it must be determined whether this is suspicious or unusual activity. Relevant persons must be vigilant for any transactions where suspicion may be aroused and take appropriate measures. Please refer to chapter 5 of the Handbook for further detail of the Island’s suspicious activity reporting regime. As stated in paragraph 13 (Ongoing monitoring) of the Code: 13 Ongoing monitoring (2) Where a relevant person identifies any unusual activity in the course of a business relationship or occasional transaction the relevant person must – (a) perform appropriate scrutiny of the activity; (b) conduct enhanced customer due diligence in accordance with paragraph 15; and (c) consider whether to make an internal disclosure. (3) Where a relevant person identifies any suspicious activity in the course of a business relationship or occasional transaction the relevant person must – (a) conduct enhanced customer due diligence in accordance with paragraph 15 of the Code, unless the relevant person believes conducting enhanced customer due diligence will tip off the customer; and (b) make an internal disclosure.

Isle of Man Financial Services Authority Version 2 Page 11 of 25 Last updated November 2021 This list of higher risk indicators is by no means exhaustive, and entities should be vigilant for any activity/transactions where suspicion may be aroused and take appropriate measures. A list of suggested red flags is included at section 4.2 of this document.  Applications from potential customers in jurisdictions where a comparable product could be provided “closer to home” and the reason for choosing the Isle of Man cannot be understood.  Difficulties and delays in gaining CDD information and documentation.  The relationship is controlled by a third party or there are multiple indicators of third party deposits or payments.  The customer places an unusual emphasis on the necessity for secrecy.  Customers that are legal entities whose structure makes it difficult to identify the ultimate beneficial owner. This could happen at inception, or subsequently, an individually owned insurance policy can be assigned to a legal entity.  The use of complex products with potential multiple investment accounts and / or products linked to performance of an underlying financial asset.  Sudden changes in the activity of the customer that are unusual and not in line with their known profile.  Acceptance of premiums that appear to exceed the customer’s means.  A request for a payment to a third party who is not the beneficiary and has no apparent relationship with the customer.  Multiple surrenders with no apparent economic value.  High value or unlimited value premium payments, overpayments or large volumes of lower value premium payments.  Payments in cash, bank drafts in bearer form or travellers cheques.  Use of intermediate corporate vehicles or other structures that have no apparent rationale, that unnecessarily increase the complexity of ownership, or otherwise result in a lack of transparency.  Premiums are paid from a foreign account in a different jurisdiction to the domicile or residence of the customer.  Cancellation and request for the refund to be paid to a third party.  Negotiability for example the product can be traded on a secondary market or used as collateral for a loan.  A change of ownership/assignment of a policy just prior to a loss occurring.  Reimbursement in a currency different to the original premium. This section of this document should be read in conjunction with the risk factors included at paragraph 15 (Enhanced customer due diligence) of the Code. Paragraph 15(5) of the Code mandates certain circumstances where a customer must be rated as higher risk. Apart from these matters, the Authority does not generally mandate which

Isle of Man Financial Services Authority Version 2 Page 12 of 25 Last updated November 2021 customer or sectors must be viewed as higher risk. The Authority has no objection to a relevant person entity having higher risk customers provided that they have been adequately risk rated in accordance with the relevant person’s procedures and any mitigating factors have been documented. As per paragraph 15(3) of the Code a relevant person must conduct enhanced customer due diligence (“ECDD”) where a customer has been assessed as posing a higher risk. 4.2 Red flags In addition to the above higher risk indicators, there are some factors that are likely to be “red flags” in relation to that particular relationship and would therefore usually be suspicious activity. If a relevant person identifies suspicious activity appropriate steps as explained in section 4.1 of this document, and paragraph 13 the Code, must be taken. This list of red flags is by no means exhaustive and is as follows:  where it is identified a customer provides false or misleading information and / or tries to conceal their identity;  where it is identified a customer provides suspicious identification documents;  the customer does not provide the business with relevant / accurate information about the nature and intended or ongoing purpose of the relationship, including anticipated account activity;  the customer is secretive / evasive when asked to provide more information;  the customer refuses to identify a legitimate source of funds or source of wealth;  the customer refuses to provide details of beneficial owners of an account or provides information which is false, misleading or substantially incorrect;  the customer enquires about how quickly they can end a business relationship where it is not expected and with no rationale;  where the business relationship is ended unexpectedly by the customer and the customer accepts unusually high fees to terminate the relationship without question;  the customer appears to be acting on behalf of someone else and does not provide satisfactory information regarding whom they are acting for;  the customer is known to have criminal / civil / regulatory proceedings against them for crime, corruption, misuse of public funds or is known to associate with such persons; and  the customer requests paying higher charges to keep their identity secret. 4.3 Additional risk factors As with the basic elements of risk assessment discussed in chapter 2 of the Handbook, the following risk areas should be considered in all cases and on an ongoing basis.

Isle of Man Financial Services Authority Version 2 Page 13 of 25 Last updated November 2021 4.3.1 Customer risk factors  the nature and structure of the customer - who is the customer; are there a number of parties involved i.e. different customer / insured party / beneficiary, is the customer a PEP or associated with a PEP, what is their profession, does the customer’s age seem consistent with the product being sought; are they a new or existing customer; does the legal structure of the customer make it more difficult to identify the customer and beneficial owner;  the size of the customer’s investment - does it match their known wealth situation;  the activity of the customer – istheir activity consistent with their known profile, does any activity lack rationale; is the contract frequently transferred to another insurer, is there a frequent use of cooling off periods particularly if the refund is to another party; early termination incurring a high cost; changes in beneficiary only when a claim is made;  the payment method of the product – consider payment methods that may contribute to higher risks of ML/TF i.e. cash or other forms of payments that allow anonymity, the use of different bank accounts or accounts in a country different from the residential country of that customer;  the payment source – what is the origin of the funds involved in the business relationship, are the source of funds and source of wealth clear, is the payment coming from the customer or a third party;  the location of the customer – is this their normal residence, is it a temporary residence, what is the place of incorporation or branch location etc.; and  the use of an intermediary / introducer - is the CDD obtained directly from the customer or is an intermediary / introducer involved (if so the risk of that introducer must be assessed as explained further in the 2.2.10 of the Handbook). 4.3.2 Product risk factors  the product being applied for and the risk factors associated with that product;  products associated higher risk factors – productsthat favour international customers, or that allow for pay-outs not limited to pre-defined events;  products which allow high withdrawal amounts; how easy is it to access the accumulated funds, are partial withdrawals permitted i.e. insurance wrapper products;  products which allow anonymity or are easily transferable;  products which allow for early surrender and have a surrender value; and  products associated with lower risk factors – products with simple features and low in value such as: no investment element; only pays out for a pre-defined event; cannot be used as collateral; does not allow over payment; and only accessible through employers.

Isle of Man Financial Services Authority Version 2 Page 14 of 25 Last updated November 2021 Please see the FATF Risk-based Approach Guidance for the Life Insurance Sector, for further details on product risk which may assist entities when they are undertaking their business risk assessment. 4.3.3 Distribution channel risk factors  is it a non-face to face relationship, and if so, is there an intermediary (or several intermediaries) involved, what safeguards for confirmation of identity are in place to mitigate the risk (ensuring the provisions of paragraph 9 of the Code have been met); and  does the rationale for the distribution channel used in relation to the business relationship seem appropriate? 4.3.4 Geographical risk factors  what countries are the product and service being sold to; does the country have high risk factors, is it in a List C jurisdiction; what is the AML/CFT Regime of that country considering its most recent evaluation, national risk assessment or from internet searches within the public domain, where appropriate;  where are the customers (and any related parties) or any intermediaries located; are they resident in a List A or List B country or a country identified as high risk by the relevant person? 4.3.5 Intermediary risk factors  the location of the intermediary, is it a List C jurisdiction; what is the AML/CFT regime of that country considering its most recent mutual evaluation or NRA where appropriate;  consider the status of the intermediary, do they fit the definition of a regulated introducer, what is their size and has business been done with them previously;  how many intermediaries are involved in the process and which entity has met the customer face to face;  does the intermediary handle any funds directly for the customer; does it get involved in any pay outs of the contract or is the intermediary purely a facilitator / introducer; and  has the insurer received any complaints against the intermediary relevant to its ML/FT risk. 5. Customer Due Diligence (“CDD”) Part 4 of the Code requires relevant persons to undertake customer due diligence and ongoing monitoring in relation to all business relationships.

Isle of Man Financial Services Authority Version 2 Page 15 of 25 Last updated November 2021 Chapter 3 of the Handbook provides guidance on how to identify and verify the identity of the customer in relation to both a natural and legal person. Also, guidance on the timing of identification and verification of identity is provided. Please also see section 3.8 of the Handbook for further details on source of funds and source of wealth. Within this sector the customer would usually be the person seeking to form the business relationship (although it must always be determined if the customer is acting on behalf of someone else, as required by paragraph 12(2)(b) of the Code). For details of any concessions which may be applicable please see:  paragraph 20 of the Code;  section 6 of this guidance; and  chapter 4 of the Handbook. In all cases where the requirements of Part 4 of the Code cannot be met (paragraphs 8(5), 9(9), 10(5), 12(11), 14(6), 15(8) and 19(11)) the procedures and controls must be provide that – (a) the business relationship must proceed no further; (b) the relevant person must consider terminating5 the business relationship; and (c) the relevant person must consider making an internal disclosure. 5.1 CDD in the sector This section of guidance considers areas which are mainly applicable for insurers and introducesthe suitable certifier regime which may be used in place of the certification section (3.3.3.4) of the Handbook. Also, within this section there is some further information concerning types of customers that may be on-boarded by an insurer which are not included in the Handbook. 5.2 Suitable certifier regime A relevant person must satisfy itself as to the identity of the customer, beneficial owner and any connected parties as required by the Code at paragraph 12. In certain circumstances relevant persons may obtain verification of identity from the customer directly, however often a third party such as a suitable certifier will be involved in the process. This process is explained further in the Long term insurers Supplemental Information Document.

5 In relation to a new business relationship (paragraph 8) the business relationship must be terminated.

Isle of Man Financial Services Authority Version 2 Page 16 of 25 Last updated November 2021 5.3 Cooling off and cancellation periods Where a customer takes up the right to decline to proceed with a contract during a cooling off or cancellation period (where this is permitted by the prevailing regulations and rules under which the contract was sold), the circumstances surrounding the request to cancel should be considered. If unusual or suspicious activity is identified the appropriate steps must be taken as set out in paragraph 13 of the Code. Chapter 5 of the Handbook sets out further guidance in relation to suspicious activity reporting. Please see section 5.4 of this guidance in relation to the requirements in relation to further detail regarding relevant Code requirements where any payment is being made by an insurer. 5.4 Specific Code requirements in relation to insurers The general requirements in relation to CDD apply to the customer, beneficial owner and any connected parties6 as required by the Code. The Code requirements in relation to new business relationships are at paragraph 8 of the Code and provisions in respect of beneficial ownership and control are set out at paragraph 12 of the Code. Specifically in relation to life assurance policies, there are a number of requirements to note. These are replicated below, however this guidance should be read alongside the full text of the Code and chapter 3 of the Handbook. 12 Beneficial ownership and control 12 (8) Without limiting sub-paragraphs (2) to (7) in the case of a life assurance policy, an insurer must — (a) identify any named beneficiary; (b) in respect of a class of beneficiaries where it is not reasonably practicable to identify each beneficiary, obtain details sufficient to identify and describe the class of persons who are beneficiaries, to satisfy the insurer that it will be able to verify the identity of the beneficiaries at the time of pay-out; and (c) where a policy is assigned to an assignee, identify the assignee and take reasonable measures to verify their identity using reliable, independent source documents, data or information.

6 For ease of reference the term “customer” will be used throughout this guidance document, however this may also include requirements to be placed on the beneficial owner / beneficiaries / connected parties depending on the requirements included in paragraph 12 (Beneficial Ownership and Control) of the Code.

Isle of Man Financial Services Authority Version 2 Page 17 of 25 Last updated November 2021 A beneficiary may be nominated at outset of the relationship or at any time during the life of the policy. In relation to a named beneficiary, the relevant person must determine what information should be obtained depending on the risk assessment of the relationship. It is noted more limited information may be available initially, however, it must be ensured the identity of the beneficiary is appropriately verified as per the Code requirements prior to a payment being made. In respect of classes of beneficiaries, where it is not reasonably practical to identify (and verify) each beneficiary at the outset of the relationship, sufficient details should be obtained to identify and describe the classes of beneficiaries. No payment or loan must be paid to those beneficiaries until the identity of the beneficiaries has been verified. Where a policy is assigned to a third party, verification of identity must be obtained either before assignment takes place, or as soon as reasonably practicable thereafter. The identity of an assignee must be verified prior to any payment being made. 12 Beneficial ownership and control 12 (9) Without limiting sub-paragraphs (2) to (8) in the case of a life assurance policy, an insurer must not make any payment or loan to a beneficiary or assignee of a life assurance policy unless it has verified the identity of each beneficiary or assignee using reliable, independent source documents, data or information. Where a beneficiary is nominated to receive any benefit arising under a policy the verification of the identity of that beneficiary may be deferred and take place after the business relationship has been established provided that it takes place:  at, or before, the time of payout or;  at, or before, the time the beneficiary exercises a right under the policy. It should be noted that the deferral of verification of identity described above for a beneficiary, cannot be to the policyholder or customer, or any person appearing within the lists of persons who should normally be identified at the outset of a business relationship as set out in the Code and chapter 4 of the Handbook. 12 Beneficial ownership and control 12 (10) Without limiting sub-paragraphs (2) to (9) in the case of a life assurance policy where a payment is to be made by an insurer to an account not in the name of the customer or beneficiary — (a) the reasons for this must be understood and recorded; and (b) this account holder must be identified, and on the basis of materiality and risk of ML/FT reasonable measures must be taken to verify the identity of the account holder using reliable, independent source documents, data or information.

Isle of Man Financial Services Authority Version 2 Page 18 of 25 Last updated November 2021 Under certain circumstances a payment may be made to a third party account, for example a client money account, or if a payment to the customer’s account is impossible, for example if the account has subsequently been closed. In these circumstances an insurer must ensure the conditions at paragraph 12(10) of the Code are satisfied. Further guidance is provided at section 3.4.5.4 of the Handbook. 5.5 Share exchange Where a premium is to be paid in total, or in part, by the exchange of an existing share holding an insurer must be satisfied that the shares presented are held in the name of the customer. Where the share certificate(s) or share register are not in the name of the customer the insurer should be satisfied that the reasons for the name appearing on the share certificate(s) or share register not being the customer are understood, and where considered necessary, the identity of the person(s) or entity whose name(s) appear on the share certificate(s) or share register must be identified and their identity verified in accordance with the Code requirements (in particular see paragraph 12 of the Code). 6. Simplified CDD measures The following section sets out further detail regarding concessions that may be applicable to the sector, as set out in paragraph 20 of the Code.

Isle of Man Financial Services Authority Version 2 Page 19 of 25 Last updated November 2021 20 Insurance (1) This paragraph applies to — (a) an insurer; and (b) an insurance intermediary. (2) Where the contract of insurance is a contract which - (a) the annual premium is less than €1,000 or the single premium, or series of linked premiums, is less that €2,500; or (b) there is neither a surrender value nor a maturity value (for example, term insurance). an insurer or insurance intermediary need comply only with paragraph 13 of Part 4. (3) In respect of a contract of insurance satisfying sub-paragraph (2) an insurer or insurance intermediary may, having paid due regard to the risk of ML/FT, consider it appropriate to comply with Parts 4 and 5 (if applicable) but to defer such compliance unless a claim is made or the policy is cancelled. (4) If — (a) a claim is made under a contract of insurance that has neither a surrender value nor a maturity value (for example on the occurrence of an insured event); and (b) the amount of the settlement is greater than €2,500, the insurer or insurance intermediary must identify the customer or claimant and take reasonable measures to verify the identity using reliable, independent source documents, data or information. (5) An insurer or insurance intermediary need not comply with sub-paragraph (4) if a settlement of the claim is to — (a) a third party in payment for services provided (for example to a hospital where health treatment has been provided); (b) a supplier for services or goods; or (c) the customer where invoices for services or goods have been provided to the insurer or insurance intermediary, and the insurer or insurance intermediary believes the services or goods to have been supplied in respect of the insured event. (6) If — (a) a contract of insurance is cancelled resulting in the repayment of premiums; and (b) the amount of the settlement is greater that €2,500, the insurer or insurance intermediary, must comply with Parts 4 and 5 (if applicable). (7) Sub-paragraphs (2), (3) and (5) do not apply if — (a) the customer is assessed as posing a higher risk of ML/FT; or (b) the insurer or insurance intermediary has identified any suspicious activity.

Isle of Man Financial Services Authority Version 2 Page 20 of 25 Last updated November 2021 (8) If the insurer or insurance intermediary has identified any suspicious activity the relevant person must make an internal disclosure. Generally, paragraph 20 of the Code permits an insurer to either not undertake the requirements of Parts 4 (Customer due diligence) and 5 (Enhanced measures) of the Code (if applicable); or to defer such compliance provided certain criteria are met. The insurer must ensure appropriate monitoring takes place where any exemptions are used so that they are able to identify if the required criteria are no longer being met. For the avoidance of doubt the other parts and paragraphs of the Code continue to apply i.e. the customer must still be risk assessed appropriately in line with the requirements of part 3 of the Code. Where the customer has been assessed as posing a higher risk of ML/FT paragraph 20(7) of the Code dis-applies paragraphs 20(2), (3) and (5), which provide for the exemptions. Therefore, the insurer must undertake any applicable requirements of Part 4 and 5 of the Code and cannot defer these requirements. Also, if the customer is assessed as posing a higher risk ECDD should be undertaken in line with paragraph 15. If suspicious activity is identified, any concession(s) no longer applies and the insurer or insurance intermediary must undertake the requirements of Part 4 (or Part 5) of the Code as applicable. Also, in these circumstances ECDD should be undertaken in line with paragraph 15 of the Code, unless the insurer or insurance intermediary reasonably believes conducting ECDD will tip off the customer and an internal disclosure must be made (see paragraph 13 of the Code and section 4.1 of this guidance document for further details). 7. Ongoing monitoring The Code requirements in relation to ongoing monitoring of business relationships are covered by paragraph 13 of the Code. To be most effective, resources should be targeted towards monitoring those relationships presenting a higher risk of ML/FT. Information obtained as part of the ongoing monitoring of a business relationship should be assessed and consideration given as to whether it affects the customer risk assessment 7.1 Trigger event monitoring The Authority accepts that in respect of insurers, due to the nature of the sector and the types of products being sold, CDD information on standard risk customers may be reviewed on a trigger event basis rather than as part of a periodic review7 . The Authority expects that in order to meet the Code requirements of paragraph 13 that appropriate arrangements are in

7 Trigger events may include a subsequent business transaction, a surrender or redemption (partial or full), when the insurer becomes aware of something which causes it to doubt the identity of someone connected to the policy or of the veracity or adequacy of CDD previously obtained.

Isle of Man Financial Services Authority Version 2 Page 21 of 25 Last updated November 2021 place to screen the client database on an ongoing basis in order to establish whether any clients may have had a change of status, for example have become PEPs. Consideration should also be given as to whether the change of CDD information may impact on the customer risk assessment. Where a trigger event occurs it may not always be necessary to refresh all CDD measures. Relevant persons should determine the extent of the CDD measures to be applied. Further detail can be found in section 3.3.6 of the Handbook. 7.2 Monitoring of higher risk relationships The Handbook explains that the extent and frequency of ongoing monitoring must be risk based and enable relevant persons to effectively manage and mitigate their ML/FT risk, this would indicate resources are targeted to higher risk customers. In respect of customers of insurers, again due to the nature of the sector and the types of products being sold (many of which are non-transactional), insurers may consider reviewing the business relationship of higher risk customers on a sampling basis (alongside usual trigger event monitoring). This should be subject to the following controls:  the sample review should be undertaken alongside ongoing effective screening on the policy and any associated parties;  the insurer should ensure they monitor the effectiveness of the screening system;  the insurer should determine an appropriate sample size taking into account the size, nature of risk of the client base; and  if the sample review identifies significant deficiencies, these deficiencies must be remediated and consideration should be given to implementing a plan to review the ECDD of further higher risk customers as soon as practicable. 7.3 Monitoring of PEP relationships For the avoidance of doubt, in relation to any foreign PEPs, and higher risk domestic PEPs, paragraph 14(4) of the Code requires that “effective enhanced monitoring” is undertaken of the business relationship. The Code requirement is as follows: 14 Politically exposed persons (4) A relevant person must perform ongoing and effective enhanced monitoring of any business relationship with — (a) a domestic PEP who has been identified as posing a higher risk of ML/FT; and (b) any foreign PEP. In respect of customers of insurers, again due to the nature of the sector and the types of products being sold (many of which are non-transactional), insurers may consider reviewing

Isle of Man Financial Services Authority Version 2 Page 22 of 25 Last updated November 2021 PEP relationships on a sampling basis (alongside usual trigger event monitoring). This should be subject to the following controls:  the sample review should be undertaken alongside effective ongoing screening on the policy and any associated parties;  the insurer should ensure they monitor the effectiveness of the screening system;  an appropriate sample size is determined taking into account the size, nature of risk of the client base;  it should be ensured all PEPs are subject to at least one review during a three year period; and  if the sample review identifies significant deficiencies, these deficiencies must be remediated and consideration should be given to implementing a plan to review the ECDD of further PEP customers as soon as practicable. 7.4 Regular payments In relation to regular payments8 being paid into a policy an insurer must ensure through its monitoring processes that if there is a change of remitting account, or account holder, sufficient details are obtained to meet the Code requirements in relation to the CDD of the payer including taking reasonable measures to establish source of funds. Please see 3.8 of the Handbook for further details on source of funds and source of wealth. If a customer requests monies to be remitted by multiple small payments, whether to the same account or not, or otherwise, an insurer should consider whether additional enquiries are required to ascertain the reasons for this. The results of these additional enquiries should be understood and recorded by the insurer. If the insurer identifies any unusual or suspicious activity appropriate steps must be undertaken as set out paragraph 13 the Code and section 4.1 of this guidance document. 7.5 Subsequent business transactions A subsequent business transaction is a transaction which was not expected by the insurer.9 It should be treated as a trigger event and the customer’s relationship (including previously obtained CDD) should therefore be reviewed to the extent determined by the insurer as explained above in section 7.1 of this guidance. This may subsequently have an impact on the customer’s risk rating. If during this review it is identified that CDD needs to be renewed as it is not up-to-date and/or appropriate, this should be remediated.

8 A regular premium payment is not a subsequent business transaction. 9 A regular premium or regular withdrawal is not a subsequent business transaction; in these scenarios CDD should have already been undertaken at the outset of the relationship, or time of the request. It does not have to be repeated at each subsequent transaction.

Isle of Man Financial Services Authority Version 2 Page 23 of 25 Last updated November 2021 However, in all instances of a subsequent business transaction involving an event such as a “top up”, the information previously requested in respect of the source of funds must be reviewed, irrespective of the period since source of funds details was previously obtained. The insurer must ensure that the information held is sufficient to satisfy it in respect of the combined value of any existing policy(/ies) and each subsequent transaction. If the information held is not sufficient the insurer must request sufficient information so that it is satisfied as to the source of funds. Please see 3.8 of the Handbook for further details on source of funds and source of wealth. If the customer is assessed as posing a higher risk, or is a foreign PEP, reasonable measures to establish source of wealth must be undertaken in order to meet the requirements of paragraph 15 of the Code. If the insurer identifies any unusual or suspicious activity appropriate steps must be undertaken as set out in paragraph 13 of the Code and 4.1 of this guidance. 7.5.1 Subsequent business transactions - cases with an introducer certificate Where a subsequent business transaction occurs and the insurer has previously relied upon an introducer’s certificate then the insurer must review the file and consider whether it remains satisfied with the information provided on the introducer’s certificate, taking into account the risk profile of the customer and policy including the nature of the subsequent business transaction. If the information contained on the introducer’s certificate is not considered sufficient, or if the insurer no longer hold a terms of business with the original regulated introducer, then the insurer must obtain satisfactory documentary verification of identity. This may be:  verification of the customer’s identity which satisfies requirements of the Code;  suitably certified copy documentation from a regulated introducer that satisfies the requirements of the Code, or  a revised introducer’s certificate which complies with the requirements of the Code Insurers may accept information from the regulated introducer that is correct at the time of the original application, or at the time of the request for information, provided that the insurer is satisfied that any changes to the original information have been provided to the regulated introducer in an acceptable manner.

Isle of Man Financial Services Authority Version 2 Page 24 of 25 Last updated November 2021 8. MLRO function The following section sets out the Code requirements in respect of the MLRO function which are applicable to insurers. This should be read in conjunction with paragraph 23 of the Code (MLRO). Paragraph 24 of the Code (Money Laundering Reporting Officer: insurers, insurance intermediaries and insurance managers) states: 24 Money Laundering Reporting Officer: insurers, insurance intermediaries and insurance managers (1) Without limiting paragraph 23, the MLRO of an insurer, an insurance intermediary or an insurance manager must — (a) in the case of an insurer authorised under section 8 of the Insurance Act 2008, an insurance intermediary or an insurance manager registered under section 25 of the Insurance Act 2008, be resident in the Island; (b) be treated as a principal control officer for the purposes of the notice required under section 29(1) of the Insurance Act 2008; and (c) be sufficiently senior in the organisation or have sufficient experience and authority including where the MLRO is not an employee of the insurer10 . (2) Where an MLRO holds more than one appointment sub-paragraph (1) applies to each appointment. Insurers will have to consider the AML/CFT legislation of other jurisdictions if they have any branches or subsidiaries located elsewhere. Paragraph 37 of the Code sets out the Isle of Man Code requirements in relation to the branches, subsidiaries and agents of insurers which are located in another jurisdiction. 9. Glossary The following glossary only includes terms relevant for the insurance sector and the sector guidance. Please see paragraph 3 of the Code, and the glossary that supplements the Handbook, for a full list of defined terms. Appointed representative - an individual or firm bound by contract to the insurer, or any group company of the insurer and restricted in the products they may promote to those

10 For example is part of an insurance manager.

Isle of Man Financial Services Authority Version 2 Page 25 of 25 Last updated November 2021 offered by the insurer or the group of the insurer. An appointed representative would typically be a regulated person or an external regulated person as defined by the Code. Introducer - means a person who by way of business, whether or not receiving commission, fees or other payment for the services provided, introduces an applicant to an insurer or undertakes the ongoing servicing of a policyholder. It includes a master agent or master distributor, or any sub-agent of a master agent or master distributor. It should be noted that there is a different definition of introducer in the Code which is applicable when using paragraph 9 of the Code and that introducer is providing “elements of customer due diligence” (as defined by the Code) to the relevant person. Introducer’s certificate - a document, or information comprising part of a larger document, which, historically, was an acceptable method of a regulated introducer certifying the identity of an applicant without providing certified copy documents. Policy - includes all policies of insurance and also includes capital redemption bonds, and the term policyholder also includes the holders of capital redemption bonds, annuities and other contracts issued by the insurer. Regulated introducer - an introducer which fits within the definitions of “regulated person” and “external regulated business” as defined in the Code.