Isle of Man Financial Services Authority Sector Specific AML/CFT Guidance Notes for Accountants and Tax Advisors

Isle of Man Financial Services Authority Version 4 Page 1 of 12 Last updated February 2025 Accountants and Tax Advisors Sector Specific AML/CFT Guidance Notes February 2025 Whilst this publication has been prepared by the Financial Services Authority, it is not a legal document and should not be relied upon in respect of points of law. Reference for that purpose should be made to the appropriate statutory provisions. Contact: AML/CFT Division Financial Services Authority PO Box 58 Finch Hill House Bucks Road Douglas Isle of Man IM99 1DT Tel: 01624 646000 Email: aml@iomfsa.im Website: www.iomfsa.im

Isle of Man Financial Services Authority Version 4 Page 2 of 12 Last updated February 2025 Contents Version history ........................................................................................................................................3

1. Foreword.........................................................................................................................................4
2. Introduction ....................................................................................................................................4 2.1 National Risk Assessment......................................................................................................5 2.2 Context of the sector.............................................................................................................6
3. Risk Guidance..................................................................................................................................6 3.1 General Higher Risk Indicators..............................................................................................7 3.2 Red Flags................................................................................................................................9
4. Customer due diligence ................................................................................................................10 4.1 Source of funds....................................................................................................................10
5. Simplified customer due diligence measures...............................................................................11 5.1 Generic designated business...............................................................................................11
6. Case Studies..................................................................................................................................12 6.1 Evasive Customer ................................................................................................................12

Isle of Man Financial Services Authority Version 4 Page 3 of 12 Last updated February 2025 Version history Version 2 August 2020) Updates made to links in relation to the updated NRA Version 3 (August 2021) Updates to reflect changes to the main structure of the AML/CFT Handbook Updates to footnotes to include links in the main body for consistency purposes 4 – removal of some background on risk￾based approach as this is now covered at chapter 2 of the Handbook 6 – removal of generic designated business concession detail as this is covered at section 4.4 of the Handbook Version 4 (February 2025) Update to the definition of “external accountant” to explicitly include the offering of ‘bookkeeping services’ as an activity subject to registration under the DBROA. Update to NRA section.

Isle of Man Financial Services Authority Version 4 Page 4 of 12 Last updated February 2025

1. Foreword For the purposes of this sector specific guidance, the term Accountants and Tax Advisers refers to a business conducting activity included in paragraphs 2(6)(i) and 2(6)(j) of Schedule 4 to the Proceeds of Crime Act 2008 (“POCA”). The activities are defined as follows: “external accountant” means a person who provides accountancy services to a third party – (a) including – i. audit services in respect of a body corporate and insolvency services; or ii. bookkeeping services; but (b) excluding a person who provides those services if - i. that person is employed by a public authority; ii. that person is employed by an undertaking which does not provide accountancy services to a third party by way of business; or iii. that person’s duties relate solely to the provision of accountancy services to his or her employer. “tax adviser” means a person who – (a) in the ordinary course of the person’s business gives advice to a third party about the third party’s tax affairs; and (b) has been appointed to give such advice either by the third party in relation to whose tax affairs the person advises or by another tax adviser to the third party. By virtue of being included in Schedule 4 to POCA, the business of an external accountant and tax adviser are subject to the Anti-Money Laundering and Countering the Financing of Terrorism Code 2019 (“the Code”). Also, this sector is included in the Designated Businesses (Registration and Oversight) Act 2015 (“DBROA”) which came into force in October 2015. The DBROA gives the Isle of Man Financial Services Authority (“the Authority”) the power to oversee the accountancy and tax advisory sectorsfor Anti-Money Laundering and Countering the Financing of Terrorism (“AML/CFT”) purposes.
2. Introduction The purpose of this document is to provide guidance specifically for the accountancy and tax advisory sectors in relation to AML/CFT. This document should be read in conjunction both with the Code and the main body of the AML/CFT Handbook (“the Handbook”).

Isle of Man Financial Services Authority Version 4 Page 5 of 12 Last updated February 2025 Though the guidance in the Handbook, and this sector specific guidance, is neither legislation nor constitutes legal advice, it is persuasive in respect of contraventions of AML/CFT legislation dealt with criminally, by way of civil penalty or in respect of the Authority’s considerations of a relevant person’s (as such a term is defined in paragraph 3 of the Code) regulatory / registered status and the fit and proper status of its owners and key staff where appropriate. This document coversthe unique money laundering and financing of terrorism (“ML/FT”) risks that may be faced by the sectors and provides further guidance in respect of approaches to customer due diligence. Also, a case study has been included to provide context to the risks of the sector. This document is based on the FATF document ‘Guidance for a risk based approach – Accounting profession’. FATF updated its guidance to bring it in line with the updated FATF requirements in 2019. The Authority recommends that relevant persons familiarise themselves with this document and other typology reports concerning the sector. 2.1 National Risk Assessment The Island’s National Risk Assessment (“NRA”) was published in 2015 and was updated in 2020. The accountancy sector must ensure their business risk assessment (and customer risk assessments where necessary) take into account any relevant findings of the NRA. The accounting sector may be used by money launderers to provide additional layers of legitimacy to criminal financial arrangements, especially where large sums may be involved. Whilst accountants and tax advisers do not ordinarily handle funds, they will often see more of a customer’s overall affairs than any other single financial institution or Designated Business. Accountants have knowledge and specific technical abilities which can make them attractive to professional money launderers. The NRA sets out the main risks and vulnerabilities in further detail. Overall, the level of risk for ML is assessed as medium because of the factors identified above including the comparative size of the accountancy sector in the IoM, the wide breadth of activities, the range of businesses from sole practitioners up to large international firms and the attractiveness of the sector to criminals. The risk of TF is assessed as medium low. At the time of publication of this document the NRA is currently undergoing a revision. Further to this, a standalone Accountancy Professionals Risk Assessment (including tax advisors and bookkeepers) will be produced. Relevant persons should ensure that this, along with any other sectoral or topical risk assessment that may be pertinent to their business, is considered when reviewing their own policies and procedures, including their business risk assessment.

Isle of Man Financial Services Authority Version 4 Page 6 of 12 Last updated February 2025 2.2 Context of the sector As stated in the foreword, the activities of external accountants and tax advisers are defined in Schedule 4 to POCA. In June 2019, this Schedule was updated, and the definition of external accountant was amended; the provision of audit services was incorporated into the definition and explicit reference has now been made to insolvency. In October 2024 this Schedule was updated again and the definition of ‘external accountant’ was amended; the provision of bookkeeping services was explicitly incorporated into the definition. No amendments to the definition of tax adviser have been made. Whilst the services provided by accountants and tax advisers can vary, the activities which are captured by the definitions in Schedule 4 to POCA include: • audit services; • bookkeeping; • preparation of annual and periodic accounts; • tax advice; • tax compliance services; • insolvency services, including company liquidation, receiver-managers and bankruptcy services; and • forensic accounting. 3. Risk Guidance The Code mandates that a number of risk assessments are completed – • a business risk assessment (paragraph 5) • a customer risk assessment (paragraph 6) • a technology risk assessment (paragraph 7) Accountants, tax advisers, and the wider financial services sector, should use the three risk assessments to adopt a risk-based approach in assessing the risks relating to its business, its customers and any technology used. Utilising a risk-based approach cannot provide a full guarantee to an accountancy firm or tax adviser that it will be protected from being used to facilitate ML/TF, however it can assist businesses in understanding its risks and implementing AML/CFT measures to manage and mitigate these risks effectively. Whilst accountants and tax advisers do not (ordinarily) handle funds or even participate in a financial transaction; they will often be able to see a bigger overall picture of a customer’s

Isle of Man Financial Services Authority Version 4 Page 7 of 12 Last updated February 2025 affairs through the inside knowledge of, and access to, customer records as well as a working relationship with the customer’s senior management. This insight into the wider picture of the customer places even more importance on understanding the risks of the services provided to a customer and how these services fit into a wider picture. The services of the accounting and tax advisory sectors may be used by money launderers to provide an additional layer of legitimacy to the criminal’s financial arrangements, especially where the sums involved may be larger or revenue more frequent. There are various ML/TF vulnerabilities that accountants and tax advisors should be aware of when assessing the risks of the services provided. These include – • Financial and tax advice – there may be criminals who seek financial or tax advice in order to place certain assets out of reach and avoid future liabilities; • Performing financial transactions – accountants may be approached to carry out or facilitate financial transactions, which may be on behalf of a criminal. The financial transactions could include depositing cash, withdrawing from accounts, issuing/cashing cheques or receiving international fund transfers); • Introductions to financial institutions – criminals may seek to use accountants to legitimise an introduction to a financial institution. This is equally a vulnerability for financial institutions who may be used to facilitate introductions to accountants or tax advisers. 3.1 General Higher Risk Indicators As with the basic elements of a risk assessment, discussed in chapter 2 of the Handbook, the following activities may increase the risk of the relationship. Just because an activity / scenario is listed below it does not automatically make the relationship high risk, the customer’s rationale / nature / purpose of the business relationship etc. should be considered in all cases. If a business is unable to obtain a satisfactory explanation from a customer in the event of the following situations, features, or activities, or any other features which cause it concerns, it should be determined whether this is suspicious or unusual activity. Please refer to Part 7 of the Handbook for further detail of the Island’s suspicious activity reporting regime.

Isle of Man Financial Services Authority Version 4 Page 8 of 12 Last updated February 2025 As stated in paragraph 13 (Ongoing monitoring) of the Code: 13 Ongoing monitoring (2) Where a relevant person identifies any unusual activity in the course of a business relationship or occasional transaction the relevant person must – (a) perform appropriate scrutiny of the activity; (b) conduct EDD in accordance with paragraph 15; and (c) consider whether to make an internal disclosure. (3) Where a relevant person identifies any suspicious activity in the course of a business relationship or occasional transaction the relevant person must – (a) conduct EDD in accordance with paragraph 15 of the Code, unless the relevant person believes conducting EDD will tip off the customer; and (b) make an internal disclosure. The below examples of high-risk indicators are by no means exhaustive and relevant persons should be vigilant about any transactions where suspicion may be aroused and take appropriate measures. Please also refer to the list of red flags included at 4.3. • The customer requests services where the accountant / tax adviser does not have expertise (except where the accountant / tax adviser is making a referral to a suitably trained professional). • The customer has no discernible reason for using the businesses’ services, or the businesses’ location. • The customer is reluctant to provide normal information or provides only minimal information. • The customer is reluctant to meet personnel from the firm in person and / or uses a “front person”. • The customer’s documentation cannot be readily verified. • The customer is reluctant to provide the business with complete information about the nature and purpose of the relationship including anticipated account activity. • The customer is located in a higher risk jurisdiction. • Customers that are cash (and / or cash equivalent) intensive businesses, such as: o money or value transfer services; o operators / brokers in virtual assets; and o dealers in precious metals or stones. • Customers that are not usually cash intensive but appear to have substantial amounts of cash. • The customer provides instructions intermittently and without legitimate reasoning. • The customer’s transaction pattern suddenly changes in a manner that is inconsistent with the customer’s normal activities or inconsistent with the customer’s profile. • Transactions involving numerous jurisdictions. • Unexplained lack of information / transparency in the transaction. • The customer changes the means of payment / transaction, without justification, at the last minute.

Isle of Man Financial Services Authority Version 4 Page 9 of 12 Last updated February 2025 • Transactions are sent to or originate from higher risk jurisdictions without apparent business reason. • Transactions are received from third parties. • The customer has a history of changing accountants / businesses and using a number of businesses in different jurisdictions. • The customer’s address is associated with multiple accounts that do not appear to be related. • The customer is known to be experiencing extreme financial difficulties. • The customer enquiries about how to close accounts without explaining their reasons fully. • The customer is indicating that they do not want to obtain the necessary government approvals / filings. • The customer acts through intermediaries such as money managers or advisers in order not to have their identity registered. • The customer exhibits unusual concern with the businesses’ compliance with Government reporting requirements and / or AML/CFT policies and procedures. • The customer is using virtual assets and/or any other means of anonymous payment for a transaction / payment and lacks an apparent legitimate legal / tax / business rationale. 3.2 Red Flags In addition to the above higher risk indicators, there are some factors that are likely to be “red flags” in relation to that particular relationship or occasional transaction and would therefore usually be suspicious activity. If a relevant person identifies suspicious activity appropriate steps as explained in section 3 of this document, and the Code, must be taken. This list of red flags is by no means exhaustive and is as follows: • where it is identified a customer provides false or misleading information and / or has tried to conceal their identity; • where it is identified a customer provides suspicious identification documents; • the customer does not provide the business with relevant / accurate information about the nature and intended or ongoing purpose of the relationship, including anticipated account activity; • the customer is secretive / evasive when asked to provide more information; • when requested, the customer refuses to identify a legitimate source of funds or source of wealth; • the customer refuses to provide details on beneficial owners of an account or provides information which is false, misleading or substantially incorrect; • transactions are received from unknown third parties; • the customer enquiries about how quickly they can end a business relationship where it is not expected; • where the business relationship is ended unexpectedly by the customer and the customer accepts unusually high fees to terminate the relationship without question;

Isle of Man Financial Services Authority Version 4 Page 10 of 12 Last updated February 2025 • the customer appears to be acting on behalf of someone else and does not provide satisfactory information regarding whom they are acting for; • the customer is known to have criminal / civil / regulatory proceedings against them for crime, corruption, misuse of public funds or is known to associate with such persons; and • the customer is interested in paying higher charges to keep their identity secret. 4. Customer due diligence Part 4 of the Code requires relevant persons to undertake customer due diligence and ongoing monitoring in relation to all business relationships. Chapter 3 of the Handbook provides guidance on how to identify and verify the identity of the customer in relation to both a natural and legal person. Also, guidance on the timing of identification and verification of identity is provided. For details of particular concessions which may be relevant please see section 6 of this guidance and chapter 4 of the Handbook. In all cases where the requirements of Part 4 of the Code cannot be met (Paragraphs 8(5), 9(9), 10(5), 12(11), 14(6), 15(8) and 19(11)) the procedures and controls must provide that – (a) the business relationship must proceed no further; (b) the relevant person must consider terminating1 the business relationship; and (c) the relevant person must consider making an internal disclosure. The nature of the services provided by accountants and tax advisers means they are more likely learn more about and have a better understanding of the customer’s business and the level / source of income than other Designated Businesses. This can be useful in assessing the ML/TF risks of the customers and the services they may be providing. 4.1 Source of funds Paragraph 8(3)(e) of the Code requires the taking of reasonable measure to establish the source of funds for all new business relationships. 8 New business relationships (e) taking reasonable measures to establish the source of funds, including where the funds are received from an account not in the name of the customer — (i) understanding and recording the reasons for this; (ii) identifying the account holder and on the basis of materiality and risk of ML/FT taking reasonable measures to verify the identity of the account holder using reliable, independent source documents, data or information; and 1 In relation to a new business relationship (paragraph 8) the business relationship must be terminated.

Isle of Man Financial Services Authority Version 4 Page 11 of 12 Last updated February 2025 (iii) if the account holder is assessed as posing a higher risk of ML/FT, satisfying the requirements in paragraph 15. As noted in section 3, the relationship accountants and tax advisors can have with their customers from a ML/FT risk perspective is different than other sectors therefore additional guidance is provided below. Where the sector is dealing with client monies the source of funds must be identified in line with the Code requirements. However, where no client monies are taken, or held, the business will still typically be receiving funds from customers in the form of fees. It is the source of the funds used for the payment of the fees which needs to be established. The source of funds will typically be from the customer themselves or from a third party. Where fees are being paid by a third party, the business should identify and verify the identity of this third party where necessary. It should also seek to establish the relationship between the customer and the third party and consider the rationale for the payment and whether this appears reasonable. Section 3.8 of the Handbook provides further details on source of funds and source of wealth. 5. Simplified customer due diligence measures The following sets out further detail regarding concessions that may be applicable to the sector. 5.1 Generic designated business Designated businesses may avail themselves of the concession at paragraph 18 of the Code, provided that certain conditions are met. Further guidance on this concession is provided at section 4.4 of the Handbook. It will be primarily accountants and tax advisers that can avail themselves of the generic designated business concession. This is due to the fact that they often advise on aspects of a financial transaction rather than directly participating in the transaction. Examples of the types of services that would fall within the definition of generic designated business include: • the preparation and issuance of management accounts or statutory financial statements; • the preparation and issuance of audit reports; • bookkeeping services; • providing tax advice to customers; • the completion of annual tax returns on behalf of customers.

Isle of Man Financial Services Authority Version 4 Page 12 of 12 Last updated February 2025 6. Case Studies The typologies below are real life examples of risks that have crystallised causing losses and / or sanctions (civil and criminal) against the accountancy / tax advisor sector. It also includes an example of a type of higher risk customer relationship that an accountant or tax adviser may encounter. 6.1 Evasive Customer A local tax advisory company is approached by a customer who is seeking advice on the tax implications of moving themselves, along with their companies and assets to the Island. The tax adviser explains that in order to commence a business relationship, certain elements of CDD are required and sets out the requirements to the customer. The customer is initially engaged with providing the requested documents however upon closer inspection, the tax adviser realises that the full documents have not been provided. This continues for two weeks and when it is reinforced to the customer that the requested documents must be provided, the customer exerts pressure on the firm by stating that the deadline for filing certain documents is approaching and provides a substantial financial retainer in order for the firm to start commencing work. Following further discussions with the customer, it is apparent that they cannot provide the full requested documents and are showing reluctance to provide an explanation as to the source of funds for the financial retainer previously provided. The tax advisory firm explains to the customer that the relationship can proceed no further and returns the retainer. There are a number of red flags within this case study, in particular: • continued evasiveness of the customer and reluctance to provide documentation which will prove their identity; • the pressure placed on the firm in relation to completing work prior to full CDD being obtained alongside the financial retainer being provided; and • inability to satisfactorily explain the source of funds for the financial retainer. The case study also highlights the risks if the business relationship continued, in particular the increased reputational risk if the firm was being used to facilitate tax evasion (a predicate offence) and thus increase the risk of facilitating ML/TF. As well, there is an increased risk of action being taken by the Authority as the tax advisory firm would have failed in its obligations to follow Part 4 of the Code. (Based on an example provided in the Institute of Certified Public Accountants of Cyprus document ‘Case studies on fighting money laundering, terrorist financing and economic crime May 2018’.)