Public statement concerning the imposition of a Civil Penalty under section 37 of the Insurance Act 2008 – Isle of Man Assurance Limited (“IOMA”)

1. Action         

1.1  The Financial Services Authority (the “Authority”) makes this public statement in accordance with powers conferred upon it under section 35(1)(a) of the Insurance Act 2008 (the “Act”).

1.2  This action supports the Authority’s regulatory objectives of reducing financial crime and maintaining confidence in the Island’s financial services industry.

1.3  An investigation into IOMA by the Authority identified a number of regulatory failings and the Authority has deemed it necessary and proportionate that, in all the circumstances, IOMA be issued with a discretionary civil penalty under section 37 of the Act in the total sum of £124,440 discounted by 30% to £87,108 (the “Civil Penalty”).

1.4  The level of the Civil Penalty reflects the fact that IOMA has co-operated with the Authority and agreed settlement at an early stage, employing the Authority’s Enforcement Decision-Making Process (“DMP”).

1.5  The penalty, imposed at Level 2, further reflects the fact that:

1.5.1  IOMA’s failings were both systemic and long-standing.

1.5.2  IOMA has already taken substantial steps to remediate the failings identified in this public statement.

1.5.3  IOMA has proactively engaged a professional third party to report on the progress of its remediation.

2. Background     

2.1  IOMA is authorised by the Authority in accordance with section 6 of the Act to undertake regulated insurance business.

2.2  In July 2018, IOMA was the subject of a routine supervisory inspection by the Authority in accordance with its statutory powers under Schedule 5 of the Act, which includes the power to investigate compliance with AML/CFT requirements within the meaning of the Anti-Money Laundering and Countering the Financing of Terrorism Code 2015 (the “Code”) and the Corporate Governance Code of Practice for Regulated Insurance Entities (“the CGC”).

2.3  Upon identification of certain issues in relation to IOMA’s compliance with both the Code and the CGC , the Authority decided to formally investigate whether IOMA continued to satisfy the Authority that it was ‘fit and proper’ to be authorised under the Act (the “Investigation”). To be authorised under the Act, a person is required to satisfy the Authority that, inter alia, it is a fit and proper person and that its controllers, directors and chief executive (if any) are fit and proper persons. This ‘test’ is an initial test at authorisation and is an ongoing one.

3. Investigation conclusions

3.1  Having obtained consent from a Justice of the Peace to exercise its compulsion powers under paragraph 3 of Schedule 5 to the Act, the Authority undertook a range of interviews with a number of persons.

3.2  The Investigation identified a range of issues in relation to IOMA’s compliance with both the Code and the CGC which, on reasonable grounds, brought into question IOMA’s fitness and propriety.

3.3  Amongst those matters established were that:–

3.3.1  Contrary to the Code, IOMA was unable to evidence that it had been undertaking customer risk assessments for large periods of time and that those in more recent times were inadequately documented.

3.3.2  Contrary to the Code, IOMA had failed to undertake a formal technological risk assessment.

3.3.3  Contrary to Part 4 of the Code, IOMA failed to evidence appropriate arrangements to effectively monitor customer and business relationships on an ongoing basis.

3.3.4  Contrary to paragraphs 14 and 15 of the Code, IOMA failed to evidence that it was operating appropriate procedures and controls in respect of or monitoring higher risk clients and/or clients who were/are politically exposed persons.

3.3.5  The absence of suitable arrangements detailed above further constitutes a number of breaches of the regulatory requirements imposed on regulated insurance entities by way of the CGC.

3.4  The matters above were aggravated due to the long-standing period of time over which non-compliance occurred and because a number of the matters identified by the Authority had previously been reported to IOMA by its control functions.

3.5  Notwithstanding these findings, the Authority has concluded that, in all the circumstances, apart from the Civil Penalty, no further regulatory sanction is necessary and therefore IOMA remains authorised to carry on undertaking regulated insurance business.

4. Statement  

4.1  The Authority is satisfied that the imposition of the Civil Penalty to IOMA reflects the serious nature of the regulatory failings identified and that this public statement will encourage others to comply with the legal and regulatory requirements and obligations that are fundamental to the conduct of business in the regulated insurance sector.

4.2  In accordance with the DMP, IOMA entered into settlement discussions with the Authority and, having accepted the Investigation conclusions, sought to finalise matters expeditiously. The Authority acknowledges and welcomes IOMA’s co-operative approach and believes that this is a further positive endorsement of the DMP.

5. Cooperation and Remediation          

The Authority is satisfied that IOMA cooperated fully and engaged positively with the Authority’s regulatory enforcement action. IOMA took the first opportunity to engage in the Authority’s DMP and settlement procedure. IOMA demonstrated that:

5.1.1  at the time of the Investigation, IOMA had already commenced a review of its procedures in relation to all its clients;

5.1.2  at the time of the settlement, IOMA had already implemented new procedures which addressed the failings which had resulted in the imposition of this Civil Penalty; and

5.1.3  at the time of the settlement, IOMA had engaged a professional third party, at its own expense, to undertake a wholesale review of its control environment. The report of the third party will be provided to the Authority.

6. Key Learning Points for Industry      

  • Compliance with the Code is mandatory not optional.
  • Non-compliance with the Code increases the risk that a regulated entity’s products and services could be exploited by those who would wish to launder money or finance terrorism.
  • The Board of a regulated entity should have appropriate regard to (a) the reports and concerns of their control functions and (b) their overriding obligations to operate the business in compliance with its legal and regulatory obligations.
  • A regulated entity should closely monitor the effectiveness of its risk and compliance functions and in particular how it ensures that the control processes established by the board are operated.
  • The Authority expects the Board of a regulated entity to establish and foster a culture which reflects the importance of compliance with regulatory requirements.
  • IOMA were proactive in responding to the concerns identified by the Authority and retained the services of a third party consulting firm to support IOMA in addressing its shortcomings and establishing and implementing a robust operational framework moving forward. The use of suitable independent professional resources to both address shortcomings and provide suitable validations to the Authority has enabled the Authority to conclude its investigation of IOMA.
  • A regulated entity, having promptly and voluntarily entered into candid and open dialogue with the Authority, may, at the sole discretion of the Authority, receive a financial, or other regulatory sanction, rather than necessarily facing criminal prosecution if found by the Authority to have contravened the Code.

Source: IOMFSA (5 Aug 2020)