CLARITY - our library of practical, frank compliance information for regulated businesses

What the TCSP NRA Said About Your Compliance Function

Anyone working in Isle of Man financial services over the past eighteen months knows that compliance staffing has been a problem. It has left boards scrambling, roles unfilled for longer than anyone is comfortable with, and firms navigating FSA fitness and propriety assessments with candidates who, in easier times, would not have been the first choice.

The FSA acknowledged this openly in a Dear CEO letter issued in May 2024. The employment market for Heads of Compliance and MLROs had tightened. Regulated entities were struggling to find suitably experienced and qualified people. F&P assessments were increasingly failing to meet the Authority's requirements. The FSA was flexible where it could be, it said, and was working with industry bodies and UCM to build capacity over the longer term. But the problem was real, and the letter was a signal that the regulator was watching.

What has changed is that the problem has now found its way into the TCSP Sector National Risk Assessment, published in March 2026. That matters more than it might first appear.

The NRA rates the effectiveness of the compliance function across the TCSP sector at Medium, with a score of 0.5. In 2015, the same measure was rated High, at 0.7. The NRA identifies three factors behind it: difficulty recruiting suitably qualified and experienced compliance professionals, variable recognition of the value of the compliance function at board level in some smaller firms, and limited use of an independent audit function to test the system. The staffing crisis that boards have been living with has been absorbed into the official risk picture for the sector. It is no longer just an operational headache. It is a documented vulnerability.

This matters for every TCSP because the AML/CFT Code requires firms to maintain a Business Risk Assessment that has regard to the most recent NRA findings. A generic reference to the NRA is not sufficient. Firms need to show how they have considered the findings and what, if anything, they have done in response. The compliance function rating is one of those findings. Boards that read the NRA carefully will find themselves looking at a score that reflects, in part, problems they have experienced directly, and asking what their own position is.

The NRA draws a distinction that is worth understanding clearly. Regulated firms of any size must have an internal compliance monitoring programme. Staff are trained, files are reviewed, the MLRO produces reports, the board receives updates. But the international standard, which the NRA references directly, does not call only for internal monitoring. It calls for some form of periodic external verification of the effectiveness of systems. Those are not the same thing, and the NRA is explicit that smaller TCSPs are not making sufficient use of the latter.

Internal monitoring tells you whether your processes are being followed. External verification asks whether your processes are the right ones, whether they are working as intended, and whether the overall compliance framework is fit for purpose given your risk profile. It is a different question, asked from a different vantage point, and it is one that internal resource, however capable, cannot fully answer about itself.

For firms that have been stretched on compliance staffing, the gap between these two things is likely to be wider than they would like. A compliance function that has been under-resourced, or that has seen turnover in senior roles, is precisely the kind of function that benefits most from an external perspective. Not because something has necessarily gone wrong, but because the conditions that make it harder to maintain objectivity and consistency are exactly the conditions that have characterised the sector for the past two years.

The NRA's risk picture has placed front and centre a weakness that industry has been feeling for some time by highlighting the sector's compliance function in a way it did not in 2015. But alongside the finding, there is something useful: a positive, clear action that firms can take. Periodic external verification will bring a firm in line with the international standard the NRA references. More than that, for a compliance function that has been stretched thin, seen turnover in senior roles, or simply had to keep moving at such pace that it hasn't had time to draw breath, it offers the opportunity to get a health check. An honest, independent assessment of where things actually stand and the provision of a road map to move forward with safety. For many firms, it will be a genuine source of confidence.