Authority Publishes Findings of Phase 1 BRA Thematic Review

Published on: 08 December 2025

The Isle of Man Financial Services Authority has published the findings from Phase 1 of a thematic review relating to the Business Risk Assessment (“BRA”), as required by paragraph 5 of the Anti-Money Laundering and Countering the Financing of Terrorism Code 2019 (“the Code”).

Following the completion of the BRA thematic in 2023/2024, which focused on the Trust and Corporate Service Provider (“TCSP”) sector, this cross-sectoral review is aimed at building on those initial observations and best practices.

The Authority is reviewing the extent to which relevant persons have undertaken an assessment of their exposure to risks such as money laundering (“ML”), terrorist financing (“TF”) and proliferation financing (“PF”), with a specific focus on how firms analyse, mitigate and document their BRA risks effectively, applying the preventative measures set out in the Code.

As part of Phase 1, information on the BRA was gathered via a questionnaire issued earlier this year to 30 supervised entities across various sectors.

The Phase 1 report, which is available to view online, sets out each question asked, along with the responses submitted. It provides the Authority’s observations on the data, some examples of best practice, as well as direct comparison to the results from the Phase 1 TCSP BRA Thematic 2023.

Phase 2 of the project, consisting of desk-based inspections focusing on selected entities’ BRAs, is currently in progress, with the results expected to be published in 2026.

Kinga Chmielowska, a Manager in the AML/CFT Supervision Division and lead for the project, said: ‘The report shares valuable insight into the data collected as part of Phase 1 of the project, with analysis of the data against the previous questionnaire results issued in 2023. An effective business risk assessment is vital in risk management; it provides relevant persons with a structured understanding of the ML/FT/PF risks they face and the extent to which they are exposed, allowing for the necessary controls to be implemented to mitigate those risks.

She added ‘We encourage all supervised entities to read the Phase 1 report and take any required action to ensure their own BRA is robust and up-to-date, with the assessment having due regard to all the prescribed risk factors of paragraph 5(3) of the Code.’