Public Statement Concerning the Imposition of a Civil Penalty on Income Plus Services Limited (‘IPSL’)

Published on: 22 May 2025

1. Action

1.1 The Isle of Man Financial Services Authority (the “Authority”) makes this public statement in accordance with powers conferred upon it under each of section 27 of the Designated Businesses (Registration and Oversight) Act 2015 (the “Act”) and regulation 5(7) of the Anti-Money Laundering and Countering the Financing of Terrorism (Civil Penalties) Regulations 2019 (the “Regulations”).

1.2 The making of such public statement supports the Authority’s regulatory objectives of, among other things, securing an appropriate degree of protection for customers of persons carrying on a regulated activity, reducing financial crime and maintaining confidence in the Isle of Man’s financial services industry.

1.3 Following an inspection of IPSL by the Authority under section 14 of the Act (the “Inspection”), which identified a number of contraventions by IPSL in relation to the Anti-Money Laundering and Countering the Financing of Terrorism Code 2019 (the “Code”), and the opening of a formal investigation (the “Investigation”), the Authority has deemed it reasonable, proportionate and appropriate, in all the circumstances, that IPSL be required to pay a civil penalty imposed under the Regulations.

1.4 The Regulations allow for penalties to be imposed at two levels depending on the seriousness of the contraventions of the Code identified. Penalties imposed equate to a percentage of the Relevant Person’s income (as such terms are defined in the Regulations). In this instance, the Authority has deemed that the contraventions of the Code identified, in all of the circumstances, merit that a civil penalty be imposed in the higher, Level 2, penalty bracket.

1.5 The civil penalty imposed on IPSL is the sum of £48,356, which is discounted by 30% to £33,850 (the “Civil Penalty”).

1.6 The level of the Civil Penalty reflects the fact that IPSL co-operated with the Authority and agreed settlement at an early stage.

2. Background

2.1 IPSL at all material times has been registered with the Authority as a Payroll Agent under the Designated Business (Registrations and Oversight) Act 2015.

2.2 In July 2023 the Authority held a business meeting with IPSL where it was noted that there were considerable gaps in the firm’s Anti-Money Laundering and Countering the Financing of Terrorism (“AML/CFT”) control framework and overall understanding of risk. The Authority subsequently conducted a risk-based Inspection of IPSL in December 2023. During the AML/CFT inspection of IPSL the Authority identified a significant number of contraventions of the Code (the “Contraventions”). The subsequent Authority Investigation confirmed the findings of the Inspection.

2.3 IPSL has engaged positively with the Authority throughout this matter in a timely and constructive manner.

2.4 IPSL proactively engaged an independent third-party professional to help progress its remediation plan. The remediation plan was completed within a timescale agreed with the Authority.

3. Key Findings from Inspection Report and Investigation

Contraventions of the Code identified by the Inspection included:

3.1 IPSL failed to establish, record, operate or maintain procedures and controls relating to its Business Risk Assessment (“BRA”), Customer Risk Assessment (“CRA”), customer screening, ongoing monitoring, including transaction monitoring, and monitoring and testing compliance with the AML/CFT legislation (paragraph 4 of the Code).

3.2 IPSL’s BRA did not consider all the risk factors detailed in paragraph 5(3) of the Code and was not an assessment which estimated the risks of ML/FT posed by the business and its customers (paragraph 5 of the Code).

3.3 IPSL’s CRA did not amount to a CRA under paragraph 6 of the Code. It was therefore concluded that IPSL had not carried out an adequate assessment of the ML/TF risk of its customers. The CRA had no regard to the risk factors detailed in paragraph 6(3) of the Code and did not involve any risk assessment process or methodology (paragraph 6 of the Code).

3.4 IPSL did not demonstrate that it had adequate procedures and controls for new business relationships as required by the Code, that it was at all times taking reasonable measures to verify the identity of new customers, and it did not take reasonable measures to establish the source of funds (“SOF”) of new clients (paragraph 8 of the Code).

3.5 IPSL undertook no ongoing monitoring or screening of customers to check for exposure to sanctions, PEP or adverse information as required by the Code. IPSL’s failure to establish SOF before a business relationship was entered into meant it was not in a position to scrutinise transactions to determine whether or not they were consistent with the expected SOF of a transaction. As no CRA was undertaken, IPSL was unable to determine whether transactions were consistent with the customer’s business and risk profile (paragraph 13 of the Code).

3.6 IPSL did not establish, record, maintain or operate appropriate procedures and controls for the purpose of determining whether any customer (amongst other individuals) was, or subsequently became, a Politically Exposed Person (“PEP”) (paragraph 14(1) of the Code).

3.7 IPSL did not have procedures and controls in place for monitoring and testing compliance with the AML/CFT legislation. No reports were produced in accordance with the requirements of paragraph 30(2) of the Code. Such reports are required at least annually and serve as a confirmation of the firm's adherence to its legal obligations and the robustness of its AML/CFT framework (paragraph 30(2) of the Code).

4. Key Learning Points for Industry

4.1 The Isle of Man National Risk Assessment 2020 assesses the money laundering risk for Payroll Services as ‘Medium’, with terrorist financing being assessed as ‘Medium Low’. IPSL’s failure to maintain adequate AML/CFT procedures and controls, as required by the Code, made it more vulnerable to being used for money laundering. The contraventions were systemic and evidenced that IPSL had materially contravened the Code over a long period.

4.2 The procedures and controls as required by the Code, are vital to help protect the Relevant Person, their staff, their business and their communities from the threat of being used or abused by criminals or those assisting or enabling criminals. Relevant Persons must demonstrate they are protecting themselves in order to make their domain as hostile as possible to those who would abuse them. In this way, the procedures and controls are vital for the effective prevention of ML/FT and the harm that crime, terrorism and the proliferation of weapons of mass destruction present for wider society.

4.3 Ongoing monitoring of customers helps identify and mitigate potential risks associated with money laundering and terrorist financing. By continuously reviewing client activities and transactions, firms can detect suspicious behaviour early and take appropriate action. Regular screening against sanction lists, PEPs, and adverse media ensures that firms are aware of any changes in their clients' risk profiles. This allows for enhanced due diligence when necessary.

4.4 Compliance with the Code is a legal requirement; all firms undertaking business in the regulated sector have an obligation to conduct their affairs in a manner that adequately mitigates the risks faced by it in order to ensure that the Isle of Man retains its reputation as a responsible, and well regulated, international financial centre. The Authority is committed to taking reasonable, proportionate and appropriate action to address contraventions of the Code in order to help it achieve its regulatory objectives of protecting consumers, reducing financial crime and maintaining the reputation of the Isle of Man’s finance sector through effective regulation.

4.5 The directors of all firms undertaking business in the regulated sector bear ultimate responsibility for ensuring the effective implementation and ongoing compliance with the Code. In particular, they must ensure that the (at least) annual review mandated by paragraph 30(2) of the Code is conducted diligently and comprehensively. This review is not merely a procedural formality, but a critical mechanism for evaluating the firm's adherence to its legal obligations and the robustness of its AML/CFT framework. Directors must actively oversee the planning, execution, and documentation of this review, ensuring that it is;

i. conducted by competent personnel with sufficient expertise and resource;

ii. covers relevant aspects of the firms AML/CFT policies, procedures and controls;

iii. identifies and addresses any deficiencies or weaknesses in a timely manner; and

iv. is documented thoroughly, providing a clear audit trail of the review's findings and any remedial actions taken.

4.6 Directors must demonstrate a proactive and informed approach to this review, recognising its significance in safeguarding the firm from financial crime risks and maintaining the integrity of the Isle of Man's financial system. Their active involvement is essential in fostering a culture of compliance throughout the organisation and demonstrating a clear commitment to their AML/CFT obligations.

4.7 In today's rapidly changing regulatory environment, it is essential for firms to stay up-to-date with the evolving AML/CFT framework. The Authority remains committed to work with industry to enhance the Isle of Man’s ability to meet its international AML/CFT standards and has a number of AML/CFT resources on its website and other social media platforms including webinars and sector specific guidance.