Public statement concerning the imposition of a Civil Penalty under section 37 of the Insurance Act 2008 - Isle of Man Insurance Management (“IOMIM”)
Public statement concerning the imposition of a Civil Penalty under section 37 of the Insurance Act 2008 -
Isle of Man Insurance Management (“IOMIM”)
1.1 The Financial Services Authority (the “Authority”) makes this public statement in accordance with powers conferred upon it under section 35(1)(a) of the Insurance Act 2008 (the “Act”).
1.2 This action supports the Authority’s regulatory objectives of reducing financial crime and maintaining confidence in the Island’s financial services industry.
1.3 An investigation into IOMIM by the Authority identified a number of regulatory failings and the Authority has deemed it necessary and proportionate that, in all the circumstances, IOMIM be issued with a discretionary civil penalty under section 37 of the Act in the total sum of £11,099 discounted by 30% to £7,770 (the “Civil Penalty”).
1.4 The level of the Civil Penalty reflects the fact that IOMIM co-operated with the Authority and agreed settlement at an early stage, employing the Authority’s Enforcement Decision-Making Process (“DMP”).
1.5 The penalty, imposed at Level 2, further reflects the fact that:
1.5.1 IOMIM‘s failings were both systemic and long-standing.
1.5.2 IOMIM have already taken substantial steps to remediate the failings identified in this public statement.
1.5.3 IOMIM have proactively engaged a professional third party to report on the progress of its remediation.
2.1 IOMIM is registered as an insurance manager by the Authority in accordance with section 25 of the Act.
2.2 In May 2019 the Authority commenced an investigation into IOMIM to consider whether IOMIM continued to satisfy the Authority that it was ‘fit and proper’ to be registered under the Act (the “Investigation”) in accordance with its statutory powers under Schedule 5 of the Act, which includes the power to investigate compliance with AML/CFT requirements within the meaning of the Anti-Money Laundering and Countering the Financing of Terrorism Code 2015 (the “Code”)and the Corporate Governance Code of Practice for Regulated Insurance Entities (“the CGC”). To be registered under the Act, a person is required to satisfy the Authority that, inter alia, it is a fit and proper person and that its controllers, directors and chief executive (if any) are fit and proper persons. This ‘test’ is an initial test at authorisation and registration and is an ongoing one.
3. Investigation conclusions
3.1 The Investigation identified a range of issues in relation to IOMIM’s compliance with both the Code and the CGC that, on reasonable grounds, brought into question IOMIM’s fitness and propriety.
3.2 Amongst those matters established were that:–
3.2.1 Contrary to the Code, IOMIM was unable to evidence that it had been undertaking customer risk assessments for large periods of time and that those in more recent times were inadequately documented.
3.2.2 Contrary to the Code, IOMIM had failed to undertake a formal technological risk assessment.
3.2.3 Contrary to Part 4 of the Code, IOMIM failed to evidence appropriate arrangements to effectively monitor customer and business relationships on an ongoing basis.
3.2.4 Contrary to paragraphs 14 and 15 of the Code, IOMIM failed to evidence that it was operating appropriate procedures and controls in respect of or monitoring higher risk clients and/or clients who were/are politically exposed persons.
3.2.5 The absence of suitable arrangements detailed above further constitutes a number of breaches of the regulatory requirements imposed on regulated insurance entities by way of the CGC.
3.3 The matters above were aggravated due to the long-standing period of time over which non-compliance occurred and because a number of the matters identified by the Authority had previously been reported IOMIM by its control functions.
3.4 Notwithstanding these findings, the Authority has concluded that, in all the circumstances, apart from the Civil Penalty, no further regulatory sanction is necessary and therefore IOMIM remains registered as an insurance manager.
4.1 The Authority is satisfied that the imposition of the Civil Penalty to IOMIM reflects the serious nature of the regulatory failings identified and that this public statement will encourage others to comply with the legal and regulatory requirements and obligations that are fundamental to the conduct of business in the regulated insurance sector.
4.2 In accordance with the DMP, IOMIM entered into settlement discussions with the Authority and, having accepted the Investigation conclusions, sought to finalise matters expeditiously. The Authority acknowledges and welcomes IOMIM’s co-operative approach and believes that this is a further positive endorsement of the DMP.
5. Cooperation and Remediation
The Authority is satisfied that IOMIM cooperated fully and engaged positively with the Authority’s regulatory enforcement action. IOMIM took the first opportunity to engage in the Authority’s DMP and settlement procedure. IOMIM demonstrated that:
5.1.1 at the time of the Investigation, IOMIM had already commenced a review of their procedures in relation to all its clients;
5.1.2 at the time of the settlement, IOMIM had already implemented new procedures which addressed the failings which had resulted in the imposition of this Civil Penalty; and
5.1.3 at the time of the settlement, IOMIM had engaged a professional third party, at its own expense, to undertake a wholesale review of its control environment. The report of the third party will be provided to the Authority.
6. Key Learning Points for Industry
- Compliance with the Code is mandatory not optional.
- Non-compliance with the Code increases the risk that a regulated entity’s products and services could be exploited by those who would wish to launder money or finance terrorism.
- The Board of a regulated entity should have appropriate regard to (a) the reports and concerns of their control functions and (b) their overriding obligations to operate the business in compliance with its legal and regulatory obligations.
- A regulated entity should closely monitor the effectiveness of its risk and compliance functions and in particular how it ensures that the control processes established by the board are operated.
- The Authority expects the Board of a regulated entity to establish and foster a culture which reflects the importance of compliance with regulatory requirements.
- IOMIM were proactive in responding to the concerns identified by the Authority and retained the services of a third party consulting firm to support IOMIM in addressing its shortcomings and establishing and implementing a robust operational framework moving forward. The use of suitable independent professional resources to both address shortcomings and provide suitable validations to the Authority has enabled the Authority to conclude its investigation of IOMIM.
- A regulated entity, having promptly and voluntarily entered into candid and open dialogue with the Authority, may, at the sole discretion of the Authority, receive a financial, or other regulatory sanction, rather than necessarily facing criminal prosecution if found by the Authority to have contravened the Code.