Inspection Guidance for Firms

Inspections Guidance for Firms October 2021 STATUS OF GUIDANCE The Isle of Man Financial Services Authority (“the Authority”) issues guidance for various purposes, including to illustrate best practice, to assist entities in complying with relevant legislation and to provide examples or illustrations.

Isle of Man Financial Services Authority October 2021 Page 2 of 7 Contents

1. Background ....................................................................................................................... 3
2. Inspections........................................................................................................................ 3
3. Purpose of this Guidance Note........................................................................................... 3
4. How are Firms selected for an inspection? ......................................................................... 4
5. Who undertakes inspections? ............................................................................................ 4
6. The inspection process....................................................................................................... 4 6.1 Pre-inspection ..........................................................................................................................4 6.2 On-site......................................................................................................................................5 6.3 Post-inspection.........................................................................................................................6 6.4 Inspection Remediation ...........................................................................................................6

Isle of Man Financial Services Authority October 2021 Page 3 of 7

1. Background The regulatory objectives of the Isle of Man Financial Services Authority (“the Authority”) are set out in section 2(2) of the Financial Services Act 2008 (the “FSA08”), Insurance Act 2008 (“IA08”) and the Retirement Benefits Schemes Act 2000 (“RBSA”):  securing an appropriate degree of protection for policyholders, members of retirement benefits schemes and the customers of persons carrying on a regulated activity;  the reduction of financial crime; and  the maintenance of confidence in the Island’s financial services, insurance and pensions industries through effective regulation, thereby supporting the Island’s economy and its development as an international financial centre. Section 2(1) of the FSA08 further sets out that the functions of the Authority shall, so far as is reasonably practicable, be exercised in a way that is compatible with the regulatory objectives and in a way that the Authority considers most appropriate for the purpose of meeting those objectives. In carrying out the functions under the Designated Businesses (Registration and Oversight) Act 2015 (“DBROA”), the Authority is responsible for:  assessing compliance with AML/CFT legislation in relation to any designated businesses; and  where any breach of that legislation is found, conducting investigations into any potential liability arising from that breach. In carrying out the functions under the Beneficial Ownership Act 2017 (“BOA”), the Authority is responsible for assessing compliance with the BOA.
2. Inspections The following set out that the Authority may inspect the books, accounts, and documents, and investigate the transactions of specified persons:  Section 15 and Schedule 2 of the FSA08;  Section 36 and Schedule 5 of the IA08;  Section 26 of the RBSA;  Section 14 of the DBROA; and  Section 30 and Schedule 1 of the BOA. (collectively, “the Acts”).
3. Purpose of this Guidance Note This Guidance Note sets out the main aspects of our approach to undertaking inspections, to help Firms understand what to expect throughout the process. For the purpose of this guidance note a Firm is any person who is specified under the Acts that may be subject to an inspection.

Isle of Man Financial Services Authority October 2021 Page 4 of 7 4. How are Firms selected for an inspection? We adopt a risk-based approach to the supervision of the various sectors and Firms. Inspections are undertaken for the Authority’s purposes as part of a suite of supervisory tools to assist us in assessing the risks that Firms or sectors pose to our regulatory objectives. We undertake two broad types of inspection:- Firm Specific – conducted in response to a known or perceived risk within a Firm. The objective(s) of a firm specific inspection may be either broad or narrow in scope. Thematic – conducted in response to a known or perceived risk at industry or sector level. Thematic inspections may be conducted in a range of ways, including by way of questionnaire or on-site inspection, or a combination of both. The objective(s) of a thematic inspection are typically narrow in scope. 5. Who undertakes inspections? Inspections are usually conducted by the members of the Authority’s Supervisory teams. Where considered appropriate, and based on the scope of a particular inspection, the inspection team may be supplemented by additional resource of particular experience or expertise from within the wider Authority. All staff members who participate in on-site inspections will carry identity cards that both identify them as members of the Authority’s staff and confirm that they are authorised to conduct inspections for the Authority. 6. The inspection process The inspection process is split into four core phases; pre-inspection, on-site, post-inspection and inspection remediation. Further information about what to expect during each phase is covered below. We aim to ensure that inspections are appropriately focused and conducted to a consistently high standard in order to be effective in their outcome. 6.1 Pre-inspection Ahead of conducting an inspection we will issue a pre-inspection email, normally within a week of making initial contact with the Firm. This will set out:-  the agreed dates upon which the on-site fieldwork will take place and its intended objectives (scope);  which of the Firm’s records (e.g. policies, procedures, registers, manuals etc.) should be provided to us in advance (noting we may subsequently request additional documents); and  confirmation that we will expect to hold an opening meeting with appropriate personnel of the Firm in advance of, or on the first day of commencing, the on-site fieldwork. We will typically look to plan the on-site fieldwork at least 8 weeks in advance to allow the Firm sufficient time to comply with our requests for information, and for us to complete our pre-

Isle of Man Financial Services Authority October 2021 Page 5 of 7 inspection review work. We will normally ask the Firm to provide any requested information, documents and records at least 4 weeks prior to the commencement of the on-site fieldwork. The exception being where the inspection objectives are narrow in scope in which case the timeframes will be commensurate with the pre-inspection information request. When we receive the information requested, we will review this in advance of the on-site fieldwork. If necessary we may request further information, to be provided in advance, or on the first day of the on-site fieldwork. We will be cognisant of the additional work that an inspection causes the Firm, and will seek to minimise disruption by ensuring that any additional requests are as focused as possible. We also expect all relevant personnel to be available during our on￾site fieldwork as we may need to speak with them or hold specific meetings. In some cases it may be important for us to commence work with little or no prior notice1 . Short notice, or unannounced inspections are undertaken when the identified or perceived risk is so material that the immediate determination of the actual or residual risk is considered by us to be urgent. We aim to provide at least 8 weeks’ notice to the Firm before we start on-site fieldwork, and expect to be provided with the requested pre-inspection information at least 4 weeks in advance of this. There may be limited circumstances where an inspection is unannounced or conducted at short notice. 6.2 On-site Prior to commencing on-site fieldwork we will typically have held an opening meeting with relevant personnel of the Firm. The purpose of this meeting is to:  answer any questions regarding the inspection objectives;  explain, if needed, the inspection process in more detail;  seek explanation to questions raised on review of pre-inspection information; and  address practical matters, for example: o establishing the location and means of access to relevant information and records; o arrangements for copying any documents o identifying the Firm’s nominated person for managing the inspection; and o staff availability for walk-throughs. The on-site fieldwork will focus on executing the inspection objectives, taking into account the review and analysis of the information and records submitted by the Firm in advance. In undertaking our work we will discuss matters relevant to the inspection objectives with the Firm’s personnel and review files where, for example, conduct of business or customer due diligence is part of the inspection objectives. We may also take copies of documents to support our observations and conclusions.

1 The Acts set out that, when exercising powers of inspection, the Authority is entitled to “rights of entry and access” (to the Firm’s premises and records) “during reasonable hours”.

Isle of Man Financial Services Authority October 2021 Page 6 of 7 Whilst inspections are planned and executed to the agreed objectives, we may, in certain circumstances, conclude that the objectivesrequires a change in some way. For example, matters may be identified which lead us to determine that there is a need to widen the objectives or, less usually, serious failings may be identified that warrant urgent action to be taken by the Authority. 6.3 Post-inspection Normally, within 2 weeks of completing the on-site fieldwork, we will hold a debrief meeting with the Firm. The aim of the meeting is to explain the key observations arising from the inspection and to highlight any areas of material concern identified at this point. The observations we share may not be exhaustive, as following further review we may identify additional observations and/or contraventions. The debrief meeting is not mandatory but may be useful to give context to our observations. After the on-site fieldwork, or any debrief meeting held, we typically communicate our observations and conclusions in writing to the Firm through the issuance of a draft inspection report (except in limited circumstances where we do not issue an inspection report). Where we issue a draft report, we aim to do this within 8 weeks of the end of the on-site fieldwork, or 6 weeks of holding a debrief meeting. Our observations and conclusions will not be limited to contraventions of regulatory requirements, and may extend to best practice. The purpose of issuing our report in draft format is to provide the Firm with an opportunity to consider its factual accuracy. We will typically ask the Firm to revert to us with any comments regarding factual accuracy within 2 weeks of receiving our draft inspection report. We will consider the Firm’sresponse and amend the report as appropriate. Once the factual accuracy of the report has been established, we will issue a final inspection report. We aim to complete the process of issuing the final inspection report within 12 weeks of the conclusion of the on-site fieldwork. There may be limited circumstances where we do not issue an inspection report. 6.4 Inspection Remediation When we issue the final inspection report, we will ask the Firm to provide a remediation plan (as appropriate) detailing how, and by when, the observations and conclusions from the on-site inspection will be remediated. The Firm should aim to provide this to us within 4 weeks, noting that the level of detail will depend on the severity of the issues identified. Remediation plans must be comprehensive, addressing all observations in an effective and sustainable manner. The remediation plan must be clear and detailed and for each observation include:

1. How the remediation addresses the observation;
2. Any implementation considerations;
3. How any follow up work has/will be managed;
4. The controls in place to manage the risk in the interim; and

Isle of Man Financial Services Authority October 2021 Page 7 of 7 5. A timeframe for the design and implementation of the changes needed. Whilst the Authority does not require a copy of the remediation plan until after the inspection report has been issued, we would expect preparation of a remediation plan to commence without delay, using the feedback provided by the Authority during the inspection and, where applicable, the debrief meeting. We will consider the remediation plan submitted and revert as necessary, and will monitor for the Firm’s confirmation of completion. The complete process, from issuing the pre-inspection letter to the final inspection report and receiving the Firm’s remediation plan, can take up to 6 months, depending on the complexity and scope of the inspection. Typically, we will require periodic updates of the progression of the remediation plan, which we may require to be accompanied by an attestation from the Firms’ board or senior management (in the case of branches) that they have satisfied themselves that the progress update is accurate, and sufficient resources are in place to deliver the remediation plan. On a risk based approach, we may request evidence, or independent assurance, of completion of one or more elements of the remediation plan. If it subsequently transpires that the remediation plan was not adequately completed, the Authority may pursue other regulatory tools and/or interventions. Further, an inspection may result in supervisory intervention being required, or referral for consideration of an enforcement￾led investigation. Enforcement is pursued where proportionate, reasonable and appropriate, which may be in parallel with remediation.