CLARITY - our library of practical, frank compliance information for regulated businesses

Introducing the Introducer: What Introduced Business Really Means for Isle of Man Firms

Many Isle of Man firms have a clear sense of who their introducers are. There is the accountant who sends work regularly, the overseas law firm with a long-standing relationship, perhaps a wealth manager in a friendly jurisdiction. Those relationships are managed, documented, and understood. What is less commonly appreciated is how much broader introduced business as set out in paragraph 9 of the AML/CFT Code actually is, and how many onboardings involve it without the firm registering that it does.

The December 2025 AML/CFT Handbook update brought useful clarification on what the introducer risk assessment should cover and, perhaps more notably, on what it does not require. It is a good prompt to revisit the basics.

The definition is widely drawn

Under the AML/CFT Code, an introducer is not simply someone who refers a client. An introducer is anyone who is not the client and who provides “any element of customer due diligence” to the firm in the course of establishing a business relationship. The test is not about the commercial relationship or the reason for the involvement. It is about what information or documentation they have provided.

The range of what counts as an “element of CDD” is broad. It includes identifying the client, verifying their identity, verifying the legal status of a client entity, identifying or verifying a beneficial owner, providing information on the nature and intended purpose of the relationship, and taking measures to establish source of funds. Any one of those elements, provided by a third party, brings paragraph 9 of the Code into play.

A single onboarding can therefore involve more than one introducer if different elements come from different sources. The overseas lawyer who sends a KYC pack, the accountant who provides source of funds confirmation, the corporate administrator who passes on beneficial ownership information: each of them is, for these purposes, a potential introducer. Introduced business is the norm for most Isle of Man firms, whether or not their procedures currently reflect that.

Why it matters: the distance problem

Introduced business creates risk precisely because it increases the distance between the firm and the client. The more that CDD is assembled from third party sources rather than gathered directly, the more remote the firm’s own connection to the client becomes. A chain of parties between the firm and the client is not, in itself, disqualifying. But it requires the firm to understand and assess that chain.

The introducer risk assessment exists to do that work. Its purpose is threefold: to estimate the risk that the introduction itself creates, to determine how far the firm can reasonably rely on the CDD elements provided, and to assess whether accepting them increases the overall client risk. Crucially, responsibility for ensuring that CDD meets the requirements of the Code remains with the firm throughout. Accepting information from an introducer does not transfer that obligation.

The IRA and the CRA: complementary, not separate

The introducer risk assessment may stand alone as a document, but it is a complementary part of the customer risk assessment: a broadened CRA that incorporates the additional factors required by Code paragraph 9(4). It must be completed before the business relationship is established.

Those mandatory factors cover the firm’s assessment of the introducer, whether the introducer has actually met the client, and how the CDD reached the introducer in the first place: whether directly from the client or through further third parties. Where other parties are in the chain, the firm needs to know who they are, whether any of them met the client, whether any hold trusted person status, and whether any located outside the Island are in a List C jurisdiction.

The combined risk picture from the CRA and the IRA determines the overall risk level of the client. Where that combined picture indicates higher risk, enhanced due diligence is required and reasonable efforts must be made to establish source of wealth. If at any stage the firm cannot satisfy itself as to the veracity or acceptability of the CDD, or as to the client’s identity, the business must not proceed.

What the December 2025 update added

The December 2025 Handbook revision made two changes relevant to introduced business.

Section 2.2.10.4 of the Handbook sets out the specific factors the introducer risk assessment should address. Several of these, including whether the introduction is consistent with the introducer’s usual referral patterns and what the introducer’s own processes look like when meeting clients, have been in the guidance for some time. If your IRA template does not already prompt those questions, that is worth addressing.

The December 2025 update added two further factors. The first is the nature and status of the introducer, including whether they hold trusted person status and the jurisdictions in which they are based and operate. The second is a note, carrying real practical weight, that verifying the identity of the introducer is not strictly required.

For firms that have been treating introducer identity verification as a mandatory step, this is worth understanding carefully. The practical test is whether the firm knows enough about the introducer and the link between it and the client in the instant circumstances, to place confident reliance on what has been provided. If the answer is yes, formal identity verification of the introducer may add nothing of substance. If the answer is no, more information or verification is needed regardless of whether the Handbook mandates the precise form it takes.

The FSA has given firms discretion here, but discretion is not the same as latitude. It requires a judgment to be made, not a step to be skipped.

What needs attention

Two things require genuine focus, and both are about how staff understand the framework rather than whether the forms are filled in.

The first is the definition itself. If the people handling onboarding do not recognise introduced business when it arrives, the IRA does not get done. Given how wide the definition is, that is a realistic risk for firms whose training and procedures frame introducers narrowly. It is worth checking that your team understands what the framework is actually capturing.

The second is the purpose of the IRA steps. The questions the IRA addresses are not process for their own sake. They are there to make the chain safe: to establish that the client has been properly identified, and that the firm’s reliance on the information provided is genuinely defensible. Every IRA should be able to answer two questions clearly. Has the client been adequately identified through this chain? And can the firm point to a reasoned basis for placing reliance on what it has been given? Everything else in the process exists to support those two answers.