Company Brochure

The AML/CFT Handbook (April 2026): A Compliance Health-Check for Isle of Man Firms

Isle of Man corporate documents and a compliance file on a navy desk

Strengthen your compliance strategy

— with confidence. clarity. experts.

Book a
consultation

If you run compliance at an Isle of Man firm, the question worth asking this year is not "are we compliant?" but "is our framework aligned to the Handbook that is actually in force?" The current edition is the Anti-Money Laundering and Countering the Financing of Terrorism Handbook — April 2026, issued by the Isle of Man Financial Services Authority. It is guidance, not law: the AML/CFT Code has primacy, and the underlying legislation takes precedence over the Handbook in any discrepancy. The Handbook applies to all relevant persons in the regulated sector under Schedule 4 of the Proceeds of Crime Act. Treat it as the FSA's statement of what good looks like, and use it to check your own framework. The areas most worth pressure-testing are the three statutory risk assessments — your Business Risk Assessment, Customer Risk Assessment and Technology Risk Assessment — whether you are working to AML/CFT/CPF or still only "AML/CFT", and whether your BRA is aligned to the national risk picture.

What is the AML/CFT Handbook, and what status does it have?

The Handbook is the FSA's guidance for relevant persons in the regulated sector. The April 2026 edition is issued under section 12 of the Financial Services Act 2008 and section 32 of the Designated Businesses (Registration and Oversight) Act 2015. It explains how the Authority expects firms to meet their obligations and sets out what supervisors look for.

It is not the law. The AML/CFT Code has primacy, and the AML/CFT/CPF legislation takes precedence over the Handbook wherever the two appear to diverge. That distinction matters in practice: a firm cannot defend a gap by pointing only to the Handbook, because the statutory duty sits in the Code. Read the Handbook as the route map and the Code as the obligation.

A first health-check, then, is version control. Confirm the edition your policies and procedures reference is the one currently in force, and that internal documents have not drifted to an older Handbook. The April 2026 Handbook is the current edition; the delta from the previous version is incremental rather than a wholesale rewrite, so the value is less in chasing a line-by-line changelog and more in testing your framework against the live text.

If you want a second pair of eyes mapping your policies to the Handbook that is actually in force, that is exactly the kind of review we run.

AML/CFT — or AML/CFT/CPF? Proliferation financing is in scope

Many firms still describe their framework as "AML/CFT". The Handbook's consistent term is AML/CFT/CPF — Countering Proliferation Financing, meaning the financing of the proliferation of weapons of mass destruction. It is not a footnote bolted on at the end; it runs through the Handbook as part of the same obligation set.

The practical check is whether proliferation financing is genuinely reflected in your framework, or whether "CPF" has been added to a heading without changing anything underneath it. Does your Business Risk Assessment consider proliferation-financing exposure? Do your customer screening, sanctions checks and ongoing monitoring account for it? A framework that names CFT but treats proliferation financing as out of scope is working to an older mental model than the one the Handbook sets out.

Three labelled compliance binders on a navy shelf in an Isle of Man office

The three risk assessments your framework must evidence

The spine of any AML/CFT/CPF framework is three statutory assessments, each anchored in the Code: the Business Risk Assessment (Code §5), the Customer Risk Assessment (Code §6) and the Technology Risk Assessment (Code §7). All three must be documented, kept under review, and able to stand up to a supervisor reading them.

The Business Risk Assessment is the firm-level view: the money-laundering, terrorist-financing and proliferation-financing risks your particular business is exposed to, given what you do, who you serve and how. The Customer Risk Assessment estimates the risk posed by each customer and drives the level of due diligence and ongoing monitoring you apply. The Technology Risk Assessment estimates the ML/FT/PF risk posed by the technology your business uses — a distinct, often-missed assessment, and not the same as a cyber-security review or IT audit. We will publish a dedicated piece on the TRA, and another on building a defensible CRA, later this month.

These are not three forms filed once. They sit in a continuous feedback loop: the BRA frames the risks the firm faces; the CRA applies that picture to each relationship and feeds real customer data back up; the TRA tracks how the systems you rely on change the risk. Read in isolation, each is weaker; read together, they should tell one coherent story about how your firm understands and manages its risk. A common failure we see is a static "file-and-forget" BRA that no longer matches the firm's actual customer base or systems — the opposite of the evidence-led, reconciled approach the Code expects.

If your BRA, CRA and TRA were written at different times by different people and have never been reconciled to each other, they are worth pressure-testing before a supervisor does it for you.

How should your BRA align to the national risk picture?

A firm's Business Risk Assessment does not sit in a vacuum. The Handbook expects firms to take account of the Isle of Man's National Risk Assessment (NRA) — the jurisdiction-level view of money-laundering, terrorist-financing and proliferation-financing risk. The Handbook notes that the NRA is currently undergoing a wholesale revision, so the national picture is itself in motion, and a National Risk Appetite Statement issued by the Isle of Man Government now sits among the Handbook's listed sources.

For your health-check, the question is whether your BRA can show it has had regard to the national picture, rather than treating risk as a purely internal matter. The risks the jurisdiction flags as elevated should be visible in how your BRA reasons about your own exposure. With the NRA under revision, this is a live area: a BRA that was aligned to an earlier national view may need revisiting as the revised picture and the risk-appetite statement settle.

This is where Knight's "don't file it and forget it" position bites. The statistical return your firm submits is regulator-designed evidence that should feed back into the BRA, and our guide to the evidence behind your BRA sets out how to reconcile the two so the assessment reflects your firm's own data rather than a generic template.

A wide top-down view of a desk with a national risk report and a magnifier, cool blue tones

Where do firms most often fall short?

The recurring gaps are not exotic. The first is version drift — policies and procedures still pointing at an older Handbook edition while the firm assumes it is current. The second is the static BRA or CRA: an assessment completed once and never reconciled to the firm's real customers, products or data, which reads to a supervisor as box-ticking rather than understanding.

A row of Manx office buildings reflected in glass under a cool overcast sky

The third is the missing or token TRA. Because the Technology Risk Assessment is the newest of the three to land in many firms' thinking, it is the one most often absent, or quietly merged into an IT-security review that does not actually estimate ML/FT/PF risk from technology. New and developing technology — AI tools, new electronic-onboarding systems, and the like — belongs in scope here.

The fourth is CPF treated as a label. Proliferation financing named in a heading, but not worked through the BRA, screening and monitoring, leaves a framework that claims more coverage than it delivers. None of these requires a rebuild; each requires reading your own documents against the live Handbook and the Code and asking whether they would convince someone who has not written them.

The Handbook also sets detailed expectations around source-of-funds and source-of-wealth, politically and commercially exposed persons, and introducer reliance. On that last point, our note on introducer reliance under the Handbook covers the eligible-introducer position and the risk assessment that reliance now calls for.

A health-check is most useful before a supervisory visit, not after one. If you would like us to run your framework against the April 2026 Handbook and tell you plainly where it stands, we are glad to help.

Frequently asked questions

Is the AML/CFT Handbook law in the Isle of Man?

No. The April 2026 Handbook is guidance issued by the Isle of Man Financial Services Authority under section 12 of the Financial Services Act 2008 and section 32 of the Designated Businesses (Registration and Oversight) Act 2015. The AML/CFT Code has primacy, and the underlying legislation takes precedence over the Handbook in any discrepancy. Treat the Handbook as the FSA's guidance on how to meet the statutory obligations, not as the obligation itself.

What does AML/CFT/CPF stand for?

It stands for Anti-Money Laundering, Countering the Financing of Terrorism, and Countering Proliferation Financing — the financing of the proliferation of weapons of mass destruction. The April 2026 Handbook uses AML/CFT/CPF consistently, with proliferation financing integrated throughout rather than treated as a separate concern. Firms still describing their framework as only "AML/CFT" should check that proliferation financing is genuinely reflected in their assessments and controls.

What are the three statutory risk assessments?

The Business Risk Assessment (Code §5), the Customer Risk Assessment (Code §6) and the Technology Risk Assessment (Code §7). Each must be documented and kept under review, and they operate as a continuous feedback loop rather than as three independent forms. The BRA frames the firm's risks, the CRA applies that to each customer, and the TRA addresses the ML/FT/PF risk posed by the technology the firm uses.

How does the National Risk Assessment affect my firm's BRA?

The Handbook expects a firm's Business Risk Assessment to take account of the Isle of Man's National Risk Assessment, and a National Risk Appetite Statement issued by the Isle of Man Government now sits among the Handbook's listed sources. The NRA is currently undergoing a wholesale revision, so the national picture is in motion. Your BRA should be able to demonstrate that it has had regard to that national view and is reviewed as the revised picture settles.

Knight Consultancy Limited
(Company No: 136669C)
Design House, Hills Meadow, Douglas,
Isle of Man ,IM1 5EB

© Knight Consultancy Limited {{Y}}. All Rights Reserved. Privacy Policy

Website and marketing partner: Yellowstone Accounts

Knight