CLARITY - our library of practical, frank compliance information for regulated businesses

RORA Is a Different Animal. Let's treat It Like One.

The Isle of Man Financial Crime Partnership (IOM FCP) published guidance on limited services provision in March 2026. It is a timely document and the topic deserves the attention. The scenarios are ones that lots of CSPs will recognise and the mitigations are sensible as far as they go.

The difficulty is where they start.

The FCP guidance is largely a reactive framework. It tells you what to think about when a client fails to notify you of changes, when you discover a new shareholder through your own screening rather than because the client thought to mention it, when the information you relied on at onboarding has drifted away from the reality on the ground over time. All of which is incredibly useful but I wonder whether the better option might be redesign rather than reaction.

Legacy arrangements

In my practice, I rarely see CSP clients happy to take on new RORA relationships because they are very aware of the inherent risk. But every CSP tends to have ones that predate the current framework; were agreed to grudgingly as an add-on for a high-value client, or they are part of a relationship that nobody has quite managed to exit cleanly, or the registered office was provided as a short term courtesy and has somehow become permanent.

Every established CSP has at least one of these. Many have several.

These arrangements simply do not sit comfortably inside the usual high, medium, low risk framework designed to facilitate the management of risk generated by fully managed services.

The risk profile of a limited services client is structurally different from a fully administered one; you do not have the visibility that a directorship provides. You cannot see what the company is doing. You are dependent on the client telling you. Treating a RORA client as simply a high-risk version of your standard client base misunderstands the nature of the problem and will in fact land you squarely within the scope of what the IOM FCP was attempting to assist with: chronic reactivity.

If we admit that these relationships are a completely different animal, we should deal with them as such.

Going back to basics

The first and most important step is to recognise that legacy limited services clients need their own regime. Not a higher risk rating within your standard review cycle, but a separate, dedicated monitoring approach that reflects the specific challenge they present.

That means proactive contact at a minimum, I'd suggest, of once per quarter as a matter of course, because a year is too long to go without understanding what a company you have limited visibility over has been doing.

The manner of contact itself matters as much as the frequency. The most common failure I see in these cases is the template email asking the client to send “any new documents since the last review”. It sounds reasonable and in most cases produces almost nothing useful. Clients do not document or minute everything they do, and the question invites them to decide what is relevant rather than prompting them to tell you the things you actually need to know.

The questions need to be reframed and be specific. Has the company entered into any new contracts or business arrangements since we last spoke? Has there been any change to its activities, its locations, or the jurisdictions it is operating in? Have there been any changes to ownership or to the people involved in running the business? Has anything happened that you would describe as significant, even if you are not sure whether it affects us?

These are the types of questions that produce answers. "Please send any new documents" produces silence, or a brief confirmation that everything is fine.

Relationship tools

The key to a safe RORA relationship is the relationship itself.

Email is the path of least resistance and frequently the least effective channel for this kind of conversation. A client who does not volunteer information in response to a written request will often give you considerably more on a video call, partly because it is harder to be evasive in a conversation and partly because a relationship maintained through genuine contact is more likely to produce honest disclosure than one managed entirely through a compliance inbox.

Quarterly video calls with limited services clients, treated as relationship conversations rather than compliance exercises, produce better information and create a clearer audit trail of genuine engagement. They also make it significantly harder for a client to claim later that they were not aware of their obligations to keep you informed.

The escalation ladder

Some legacy limited services arrangements will inevitably, despite best efforts, remain unmanageable. The monitoring produces thin responses; the client is consistently evasive. The risk picture becomes harder to defend. At that point, before reaching for the emergency exit, there is one option worth exploring first: push for a place on the board.

A directorship converts a limited services relationship into an administered one. It gives you the visibility and control that the RORA arrangement lacks. It is almost always the right answer commercially as well as from a risk perspective, because the alternative is either carrying unmanaged risk indefinitely or the disruption and reputational complexity of a termination. Clients in this position often resist on cost grounds. The response to that is straightforward: a discount on fees is a reasonable price for the control that makes the relationship defensible.

If the client will not accept a directorship and the arrangement cannot be managed safely on any other basis, then termination may be the only answer. But it is the last step on the ladder, not the first response to a difficult relationship.

What this looks like in practice

A legacy limited services portfolio, properly managed, looks like this: a discrete list of clients maintained separately from the standard review cycle, with a documented rationale for each relationship and a clear record of what makes it manageable. Quarterly contact on the file, conducted by video call where possible, with a standard set of operational questions tailored to that client that prompt disclosure rather than invite confirmation. A record of each contact, what was asked, what was said, and what action, if any, was taken as a result.

When a review produces a red flag, the response is documented and escalated in the usual way. When a review produces nothing of concern, that is also documented, because the absence of a problem is only useful as evidence if you can show the question was genuinely asked.

The FCP guidance describes what can go wrong when limited services clients are not managed well and how to react. The best off ramp to chronic reactivity is a firm that resets its relationships with RORA clients from the ground up.