Public Statement concerning the imposition of a civil penalty on RL360

RL360 Insurance Company Limited and RL360 Life Insurance Company Limited (together referred to as “RL360”)

 

1.  Action

1.1 The Isle of Man Financial Services Authority (the “Authority”) makes this public statement in accordance with powers conferred upon it under each of section 35 of the Insurance Act 2008 (the “IA08”) and regulation 5(7) of the Anti-Money Laundering and Countering the Financing of Terrorism (Civil Penalties) Regulations 2019 (the “Regulations”).

1.2 The making of such public statement supports the Authority’s regulatory objectives of, among other things, securing an appropriate degree of protection for customers of persons carrying on a regulated activity, reducing financial crime and maintaining confidence in the Isle of Man’s financial services industry.

1.3 Following an inspection of RL360 by the Authority under section 36 of the IA08 (the “Inspection”), which identified a number of contraventions by RL360 in relation to the Anti-Money Laundering and Countering the Financing of Terrorism Code 2019 (the “Code”), the Authority has deemed it reasonable, appropriate and proportionate, in all the circumstances, that RL360 be required to pay a civil penalty imposed under the Regulations in the sum of £2,785,714, which is discounted by 30% to £1,950,000 (the “Civil Penalty”).

1.4 RL360 has proactively brought about operational changes across its business to address the issues identified and it has already taken substantial steps to remediate matters. Further, the Authority acknowledges the constructive and pragmatic dialogue between RL360 and the Authority and gives credit for the engagement in this regard.

1.5 The level of the Civil Penalty reflects the level of co-operation with the Authority and that a settlement was agreed at an early stage as well as RL360’s proactive implementation of operational enhancements to address the issues identified. As with all discretionary civil penalties issued by the Authority, the level of the Civil Penalty is calculated as a percentage of RL360’s relevant income at the time that the contraventions noted within this public statement were identified. The absolute amount of the Civil Penalty relative to other civil penalties that have been issued by the Authority previously is not necessarily indicative of the seriousness of the contraventions and is determined each time on the facts of a particular matter. The level of a civil penalty is determined each time on the facts of a particular matter and regard is had by the Authority to the level and the percentage of civil penalties imposed in other matters. In determining the Civil Penalty, the Authority considered mitigating factors specific to the circumstances of this case.     

 

2. Background

2.1 RL360 at all material times has been authorised with the Authority as an authorised insurer pursuant to Section 8 of the IA08.

2.2 The Authority conducted the Inspection in February 2023 and identified a number of contraventions of the Code by RL360 (the “Contraventions”).

2.3 RL360 has engaged positively with the Authority throughout this matter in a timely and constructive manner.

2.4 RL360 undertook an extensive remediation programme to address the shortcomings identified and continues to enhance its related internal processes and procedures.

2.5 The RL360 remediation programme has not resulted in the risk profile of the business changing materially.

 

3. Key Findings from inspection report

Contraventions of the Code identified by the Inspection included:

  • The Business Risk Assessment (the “BRA”) did not independently assess Money Laundering/Terrorist Financing (“ML/TF”) risks specific to each entity and failed to adequately incorporate customer risk assessments and relevant risk factors into RL360's broader risk management framework. (Paragraph 5 of the Code)
  • The Customer Risk Assessment (“CRA”) process lacked sufficient detail, clarity, and a clear methodology. In some instances, high-risk customers were incorrectly classified, or their assessments failed to incorporate all relevant risk factors, including jurisdiction and product risk. (Paragraph 6 of the Code)
  • In some instances, RL360 could not evidence obtaining adequate documentation and sufficient due diligence collected at the point of onboarding. (Paragraph 8 of the Code)
  • RL360 conducted insufficient ongoing monitoring for high-risk customers, and trigger event reviews were often not carried out or were insufficient. This includes neglecting to reassess customer risk profiles when changes occurred. (Paragraph 13 of the Code)
  • For some matters, Customer Due Diligence (“CDD”) and Enhanced Customer Due Diligence (“ECDD”) records were insufficient, especially for high-risk customers such as PEPs. Missing or incomplete information, and a failure to evidence proactive assessment of customers' source of funds and wealth, resulted in non-compliance with AML obligations. (Paragraph 14 & 15 of the Code)
  • In some instances, RL360 failed to adhere to internal policies, such as annual reviews of high-risk customers, and did not fully follow procedures for ensuring that required CDD/ECDD was obtained, resulting in significant compliance gaps. (Paragraph 4 of the Code)
  • Business relationships with certain high-risk jurisdictions were not properly documented or factored into the CRA process. This impacted RL360’s ability to appropriately risk-rate customers and properly assess and manage risk. (Paragraph 30 of the code)

 

4. Key Learning Points for Industry

4.1 Compliance with the Code is a legal requirement; all firms undertaking business in the regulated sector have an obligation to conduct their affairs in a manner that adequately mitigates the risks faced by it in order to ensure that the Isle of Man retains its reputation as a responsible, and well regulated, international financial centre.

4.2 It is imperative that firms conduct a comprehensive, independent, and detailed risk assessment for each entity within their group. The CRA must be based on accurate data, consider all relevant risk factors (including customer geography, product type, and business activities), and be updated regularly to reflect any changes. The results of the CRA should directly inform the BRA to ensure that identified risks are fully integrated into the firm’s broader risk management framework (particularly when dealing with higher risk jurisdictions which should be noted in the CRA with appropriate senior management approval). A failure to properly assess and address the specific risks posed by customers will lead to regulatory breaches and inadequate AML controls.

4.3 Higher risk customers must be subject to ongoing monitoring, with periodic reviews conducted as per the risk rating assigned during onboarding. Ongoing monitoring cannot be neglected or limited to PEPs and sanction-listed individuals; any customer with higher risk indicators must undergo enhanced scrutiny, and trigger event reviews must be conducted in a timely, thorough, and consistent manner. A failure to adequately monitor higher risk customers exposes the firm to significant compliance risk. Sector specific guidance can be found on the Authority’s website that recommends how this ongoing monitoring can occur.

4.4 Firms are required to take a proactive approach to updating and maintaining accurate and complete customer information, not deferring CDD/ECDD updates until a trigger event occurs. Promptly obtaining and verifying missing or updated information where required ensures that customer profiles remain accurate and compliant with the AML Code[1].

4.5 If Internal policies, such as conducting annual reassessments of high-risk customers, are in place they must be rigorously followed. Non-compliance with these policies not only breaches internal standards but also undermines the firm’s ability to manage its AML risks effectively. Failing to follow documented procedures, particularly in relation to high-risk customers or jurisdictions, can lead to serious regulatory and reputational consequences.

 

[1] ‘Anti-Money Laundering and Countering the Financing of Terrorism Code 2019’ Para 10 Page 19 & Para 13 Page 23.