The Isle of Man Financial Services Authority's December 2025 AML/CFT Handbook update (Version 5, now consolidated into the April 2026 Handbook) does not rewrite the rules. It raises the bar on something harder: showing that you actually apply them. The shift is from box-ticking to judgement — and the clearest place it bites is how you justify relying on an introducer's customer due diligence. If you cannot explain that reliance in plain English, backed by documented reasoning, you are exposed.

For Isle of Man firms that take on introduced business, this is the practical change to act on. Everything else in the update is, in effect, the regulator restating an expectation it has held for years: risk assessments must be demonstrable and evidence-based. The Handbook is guidance under the AML/CFT Code 2019, and it is not a checklist — it expects a risk-based approach and informed judgement you can stand behind.

Introducers: where firms will get caught out

This is the biggest practical area. An introducer assessment is not optional — it forms part of your Customer Risk Assessment, and the expectation is that you assess the introducer relationship explicitly rather than assume it.

In practice that means being able to answer, on the file:

• Who is the introducer — their nature, status, and whether they are a "trusted person", where they operate and are based.
• Did they actually meet the client, and where did the customer due diligence come from — the client directly, or third parties?
• What is the full CDD chain — how many layers of third parties are involved, and who collected the underlying information? The more layers, the higher the risk, and the more you need to evidence why reliance is still appropriate.

Section 2.2.10.4 of the Handbook sets out the risk factors an Introducer Risk Assessment must include — mirroring paragraph 9(4) of the AML/CFT Code: a risk assessment of the introducer; whether the introducer has met the customer; whether the CDD they provided came directly from the customer or from third parties; and, where third parties were involved, how many, who they were, whether any of them met the customer, whether any is a trusted person, and whether any are located outside the Island in a List C jurisdiction. The December 2025 update added these introducer considerations specifically, so if your current IRA template does not reflect them, it needs updating.

There is a helpful clarification here, and it cuts both ways. There is no requirement to formally verify the introducer's identity — but you must hold enough information to assess whether reliance is appropriate. That is a deliberate piece of discretion: the Authority is giving firms judgement, not a script. The corollary is that the judgement has to be real and recorded.

The single test to apply is simple: can you confidently explain why you relied on that introducer's CDD? You can rely on introducers, but you cannot outsource responsibility. If you cannot justify the reliance, you should not be relying on it.

"Demonstrable and evidence-based" is the standard

Introduced business is not a tick-box exercise. The IRA must be documented, specific to the introducer, and linked to the individual client — and you must be able to show what you considered, what you concluded, and why. If challenged, "we always accept business from this introducer" is not a defensible position. The conclusion matters less than the reasoning behind it.

Staff training is now a frontline control

This is a practical weak spot in many firms. Front-line staff have to recognise introduced business at onboarding and know when an IRA is required, what to ask, and when reliance is not acceptable. This connects directly to the Code's requirement that staff understand the firm's procedures and controls. A defensible reliance framework on paper achieves little if the people opening relationships cannot apply it in the moment.

BRA and TRA: a clarification, not a change

The Handbook clarifies (at section 2.2.7) that firms may record the Business Risk Assessment (BRA) and the Technology Risk Assessment (TRA) in a single document — but they remain distinct assessments, each addressing its own required factors. Many firms already work this way; the gap is usually documentation that does not make the two assessments clearly separable. If your combined document blurs them, tidy it before someone else has to.

CEPs: refining risk, not a new category

The December 2025 update also expanded the guidance on Commercially Exposed Persons (CEPs) (section 3.8.13). A CEP is a person who, through their position or activity, faces an increased risk of bribery, corruption, fraud or money laundering. The Handbook applies a two-part test: the person is associated, through their occupation, with an industry carrying higher corruption risk (the Handbook's examples include sectors such as arms, oil and construction); and they hold decision-making power, influence or ultimate control within that role. A board member or senior executive in such a sector would typically qualify; an employee with no such influence would not. Crucially, this is about commercial exposure and control — not political status, which is what separates a CEP from a PEP. It refines how you assess risk; it is not a new category.

The underlying shift: judgement over process

The strongest theme across the update is that the Handbook is not a checklist and must not be treated as one. The Authority expects firms to apply a risk-based approach, exercise informed judgement, and be able to explain and evidence their decisions — most visibly around introducer reliance, the use of third parties, and the application of CDD measures.

What this means for your firm

You do not need to rebuild everything. You do need to ask honest questions of your current arrangements:

• Do we have an Introducer Risk Assessment that matches the Handbook's required factors?
• Do we actually assess whether we trust an introducer — or do we assume it?
• Can we explain, from the file, why we relied on the CDD provided?
• Would a supervisor understand our rationale from our documentation alone?

If the answer to any of those is no, that is your gap. The update is not about new rules — it is about being able to justify what you are already doing.

We help Isle of Man firms rebuild Introducer Risk Assessment templates aligned to the Handbook, risk-rate existing introducer relationships properly, implement defensible reliance frameworks (not just policies), deliver targeted staff training on introduced business, and clean up BRA, CRA and TRA documentation so it stands up to scrutiny.

Frequently asked questions

Does the AML/CFT Handbook update change the rules on introducers?

Not fundamentally. It raises the bar on evidencing how you apply the existing rules — in particular, demonstrating why your reliance on an introducer's customer due diligence is appropriate. The substance is the same; the standard of demonstrable, documented judgement is higher.

Do we have to verify an introducer's identity?

There is no requirement to formally verify the introducer's identity, but you must hold enough information to assess whether relying on them is appropriate. It is a judgement call — and one you need to document, because you can rely on an introducer but cannot outsource your responsibility.

Can we combine our BRA and TRA in one document?

Yes — the Business Risk Assessment and Technology Risk Assessment can sit in one document, provided they remain distinct assessments that each address their own required factors. The common failing is documentation that does not keep the two clearly separable.