CLARITY - our library of practical, frank compliance information for regulated businesses

The New CEP Test Is Simpler. That's Not Entirely Good News.

Commercially Exposed Persons arrived on the Isle of Man compliance scene as a data field on the AML/CFT Statistical Return before being formally defined in the Handbook. In a relatively short space of time, they have gone from a slightly obscure category that many firms were not quite sure what to do with, to a defined concept with its own two-part test. The December 2025 Handbook update gives firms a cleaner, more operational definition. It also, quietly, drops some earlier language that was doing useful work.

This article looks at what changed, what was lost in the edit, and how Isle of Man firms can hold on to both the clarity and the nuance.

The June 2025 picture: more colour, more ambiguity

When CEPs first arrived in meaningful guidance, the framing was relatively rich. The core idea was that a CEP is someone linked to an industry or activity with higher exposure to bribery and corruption, and who holds a prominent position or enjoys a high public profile such that they might abuse that position for private gain.

To give that some texture, the guidance offered examples: persons performing prominent functions for international organisations; senior local or regional public officials with the ability to influence the award of public contracts; decision-making members of high-profile sporting bodies; individuals known to influence government and other senior decision-makers.

That framing did something valuable. It pushed firms to look beyond job titles and think about real-world influence and visibility. It acknowledged that corruption risk often sits in the grey space between public and private sectors, and it gave compliance teams permission to treat certain soft-power roles as CEP-adjacent even when the employer did not fit neatly into a classic high-risk industry category.

The downside was that the definition felt open-ended to some, and a number of firms responded by tagging almost anyone in a named sector as a CEP, just in case.

December 2025: a sharper test

The December 2025 Handbook revision moved to a more compact, operational definition. A CEP now needs to meet two limbs: involvement in an industry or activity typically associated with a higher risk of bribery and corruption, and within that context, a senior decision-making role or ultimate effective control.

Two important caveats sit alongside that test. CEPs are not intended to be treated in the same way as PEPs. And identification is on a best endeavours basis. The expectation is that firms factor CEP exposure into their customer risk assessments, not that they build a full parallel PEP-style regime.

What has receded is the earlier emphasis on prominent position and high public profile, along with those illustrative examples of sports-body officials, local government figures, and informal influencers.

In practical terms, the new wording helps firms build a cleaner, more defensible identification process that reduces the risk of over-capture. It is also, if applied too literally, slightly easier to miss people whose risk comes from visibility and soft power rather than an obviously senior corporate role.

What the edit removed

Two threads from the earlier wording are worth keeping in your internal thinking, even if they no longer feature prominently in the Handbook.

The first is that influence is not always about job title. The June-era language recognised that a person's ability to facilitate or benefit from bribery can come from media profile, roles in high-visibility sporting or civic associations, or personal networks that give privileged access to decision-makers. Those individuals may not sit in a textbook high-corruption-risk sector, but they can still open doors and shift decisions in ways that create money-laundering risk.

The second is that corruption thrives in quasi-public spaces. By referencing senior local officials and people who influence government and other senior decision-makers, the earlier guidance acknowledged that many risky roles live in state-linked or publicly-funded entities: state-owned enterprises, public-private partnerships, grant-funded bodies. The line between public-sector PEP risk and commercial CEP risk is often genuinely blurry, and a pure sector-plus-decision-making test can under-capture individuals in those hybrid roles unless you are consciously looking for them.

Holding on to both

The risk based approach means you don’t have to choose between the old and new approaches.

Use the December test as your operational baseline for day-to-day customer risk assessment and system design. Two limbs, clearly met or not, consistently applied, directly referenced to the latest Handbook wording. That keeps identification manageable and defensible.

Internally, you can still recognise that some individuals deserve CEP-level attention even if they sit at the edges of the formal definition. Your internal guidance can retain the earlier illustrative examples and instruct staff that where a customer or controller clearly fits the prominence-and-soft-power profile, that warrants escalation for consideration, even if the sector label is borderline.

If you went broad after the first wave of guidance, the December revision is also a good moment to tidy up. De-scope individuals who were tagged solely because they worked in a named sector but hold no material decision-making power. Retain or add individuals who meet the new two-part test, or who sit in hybrid prominent-influence roles where your judgement is that CEP-like treatment is warranted. If your CEP numbers shift meaningfully, a short note on why (recalibrated after December 2025 Handbook clarification) will help if the question comes up at your next supervisory visit or on the Statistical Return.

Finally, bring the nuance back in through training. Case studies work well here: put two people side by side, one who clearly meets the two-part test and one who primarily fits the prominent-influencer profile with a less obvious sector link and ask your team how they would approach each. That conversation builds the kind of judgement that no tick-box can replicate.

The bigger picture

Handled thoughtfully, the evolution of CEP guidance gives you a genuinely good story to tell. You followed the initial guidance and built a framework. You refined your approach after the December 2025 update to focus on real influence and avoid unnecessary over-capture. And you still recognise soft-power corruption risk, even where the latest wording does not spell it out explicitly.

That combination of clarity and considered judgement is exactly what a mature, risk-based approach looks like in practice.