Guidance Note on the Materiality of Rule Breaches

September 2019 Page 1 of 4 Financial Services Act 2008 Guidance Note – Rule 8.17 Breaches of Regulatory Requirements Status of guidance The Isle of Man Financial Services Authority (“the Authority”) issues guidance for various purposes including to illustrate best practice, to assist licenceholders to comply with legislation and to provide examples or illustrations. Guidance is, by its nature, not law, however it is persuasive. Where a person follows guidance this would tend to indicate compliance with the legislative provisions, and vice versa. Background This guidance confirms the Authority’s expectations in respect of breaches of the regulatory requirements1 . The guidance applies to the recording of breaches, and the reporting of breaches under rule 8.17. It also describes aspects of routine supervisory interaction. Recording a breach Licenceholders are required by rule 8.17(3) to maintain a register of all breaches of the regulatory requirements. The Authority has prepared a Pro-forma breaches register which is available for licenceholders either to adopt or to check against their existing register. It is not a statutory document and licenceholders are not obliged to use it. The Authority records in writing the breaches of which it is aware. This may be in the form of an email, letter, inspection report or other written communication. The Authority records breaches in writing for the following reasons:  If a regulatory requirement is not being complied with, the situation should be addressed and if possible remedied;  A written record of breaches provides clarity as to whether a breach has occurred and how it has been addressed by the licenceholder and the Authority;

1 The use of “the regulatory requirements” in rule 8.17 is based on a defined term in rule 8.1.

Isle of Man Financial Services Authority September 2019 Page 2 of 4  Recording a breach in writing assists the licenceholder to reply if it does not agree that there has been a breach (either on factual grounds or based on the interpretation of the rule);  A record of all breaches promotes a consistent approach by Authority staff and confidence amongst licenceholders that consistency is being maintained;  Recording all breaches avoids debates about whether a breach is or is not recordable;  Recording breaches helps to keep a record of the circumstances, including mitigating and aggravating factors;  By recording all breaches, it is possible to identify persistency (or a pattern) of breaches which might indicate poor controls in the licenceholder;  If a number of licenceholders are not complying with a requirement it might be appropriate to issue guidance or amend a rule; and,  Recording all breaches assists the Authority in assessing a licenceholder’s fitness and propriety on a cumulative basis. What constitutes a “material” breach? Licenceholders are required by rule 8.17(1) to notify the Authority of material breaches of the regulatory requirements. In considering whether a breach is “material” a licenceholder should apply its judgement, and take into consideration the particular circumstances of the licenceholder as well as the nature of the breach. Accordingly the Authority can give only limited advice as follows:  A breach of a requirement to obtain consent from the Authority is always material; and,  In the event of a breach of a requirement to give notification to the Authority, we would always expect the licenceholder to advise us, in order to rectify the situation. The materiality of the breach is determined primarily by the nature of the regulatory requirement and the size, impact or extent of the breach. However, the circumstances and causes are also relevant to some extent in deciding whether a breach is material. It would be appropriate, for example, to take into account whether any of the aggravating factors in Appendix 1 below are present. Further consequences of a breach The Authority’s decision as to whether to take further action is based upon all of the circumstances, and aims to be proportionate to the breach and the circumstances. The Authority has powers of investigation and enforcement which can be used following a breach or a pattern of breaches (for example, civil penalties, directions, or action over the fitness and propriety of the directors or key persons). The Authority uses these powers where appropriate, and has separate processes, including its Decision Making Process, for addressing such situations. However, in practice many breaches are handled without the need to use such powers. The Authority’s decision may take into account the materiality and persistency of the breach and mitigating or aggravating factors, such as the examples in the list at table 1.

Isle of Man Financial Services Authority September 2019 Page 3 of 4 Actions to be taken following a breach Breach identified by licenceholder The Authority would expect a licenceholder to take the following steps when it finds that it has breached a regulatory requirement:

1. Record the breach in the register maintained under rule 8.17(3);
2. Identify the causes;
3. Identify remedial action;
4. Notify the Authority under rule 8.17(1) if the breach is regarded as material; and,
5. Take prompt and effective remedial action. If a potential breach is identified in advance, as might happen with the financial resources requirement for example, the licenceholder should seek to prevent the breach. Notification to the Authority of a material breach under 8.17(1) should include:  When the breach occurred;  Description of the breach and the reasons why it occurred;  What corrective action has been taken or will be taken (where the breach can be corrected);  The timescale for the corrective action; and,  What steps have been taken to prevent a repetition and what is the timescale for implementation? Breach identified by the Authority Where a previously unrecorded breach is identified by the Authority's officers, for example during an inspection, the Authority would expect the licenceholder to:
6. Agree a realistic timetable for remedial action;
7. Start remedial action promptly – there is usually no need to await the final visit report;
8. If problems are encountered and a delay to completion is possible, notify the Authority and explain the circumstances, the action being taken and the expected revised completion date (the Authority however, reserves the right to regard missing the timetable as a compliance failure); and,
9. Confirm when the remedial action has been completed. A separate process is applied by the Authority to inspections which identify issues such as to require referral to Enforcement Division.

Isle of Man Financial Services Authority September 2019 Page 4 of 4 Appendix 1 Examples of mitigating and aggravating factors2 Mitigating factors Aggravating factors Genuine error Deliberate or negligent breach Generally adequate procedures and controls, for example other similar matters handled correctly Lacking or inadequate procedures or controls Little or no impact on customers Adverse impact upon customers, e.g. actual or potential financial loss Force majeure - circumstances wholly or partly outside the control of the licenceholder. Within the licenceholder’s control – possibly senior staff involved Little or no additional AML/CFT risk Increased AML/CFT risk Little or no financial crime risk Increased risk of financial crime Breach identified by licenceholder Breach not identified by the licenceholder Prompt and effective remedial action. Slow and/or inadequate response to the problem Indications of lack of competence Increased risk of financial failure Repetition of the same breach Numerous breaches of different types, which could indicate weak controls or poor compliance. Possible damage to the reputation of the jurisdiction

2 The list in Table 1 is illustrative and not exhaustive