The Isle of Man: Privacy and Data Protection-related Laws

General Requirements by AML/CTF code

‘The Code requires relevant persons to have certain procedures in place. Paragraph 4 of the Code requires a relevant person to:

  • establish, maintain and operate procedures in relation to the following
    • risk assessment;
    • ongoing monitoring;
    • customer due diligence(CDD);
    • record keeping and compliance;
    • staff appointment and training;
    • appropriate reporting and disclosures; and
    • any other internal controls and communication procedures that are appropriate for the purposes of preventing and detecting ML/FT.
  • take appropriate measures for the purpose of making employees and workers aware of
    • the procedures established, maintained and operated above; and
    • the AML/CFT requirements;
  • monitor and test compliance with the Code in accordance with paragraph 29;
  • provide education and training to its staff in accordance with paragraph 31; and
  • comply with paragraphs 38 and 40 which is the use of Shell Banks and fictitious/anonymous/numbered accounts respectively.

These procedures and controls must be approved by the senior management of the relevant person and evidence of this approval should be made available to competent authorities upon request. Examples of such evidence include board minutes or similar documentary evidence.

It is a criminal offence for a relevant person to fail to establish, maintain and operate the procedures listed above. Where such an offence is committed with the consent or connivance of, or is attributable to neglect on the part of an officer of the business, he too shall be deemed to have committed a criminal offence. The definition of “officer” includes a director, manager, board member or secretary and a person purporting to act as such.’

Due to the nature of the rapidly evolving sector, the Authority expects that VC businesses should review and update their business risk assessment each time there is a new technological developments risk assessment or at least 6-monthly.

The general requirements of a business risk assessment are covered in above paragraph. The below additional factors are of high importance to VC businesses and should be included in detail in the business risk assessment.

  • Inherent product risks - The business risk assessment should include the full list of inherent risk factors listed in section 4 of this document with a note confirming which of the listed factors are applicable to the relevant person’s business and why. For those that are applicable, there should also be a note detailing the steps taken and processes in place to mitigate the identified risk.

  • Application the AML/CFT requirements - The business risk assessment should include the sub-headers listed under the application of AML/CFT requirements at section 5 of this document with a note confirming any difficulties the relevant person is likely to face in complying with the listed requirements and detailing the measures that have been put in place to combat each of these difficulties .

The relevant person will be expected to demonstrate to the Authority how it has been able to overcome such challenges in order to comply with the AML/CFT requirements. Instances in which the relevant person has not been able to comply with the AML/CFT requirements should be escalated to the Authority in a timely manner and must be formally documented in their annual compliance return.

For further detail, please see:

  • Virtual Currency(VC) Business Sector Specific AML/CFT Guidance Notes October 2016
  • Anti-Money Laundering and Countering the Financing of Terrorism Handbook, July 2017


Previous Section Next Section

Have a comment, edit, or item to add? Share your thoughts by commenting below!

comments powered by Disqus