07 July 2026: Isle of Man’s Proliferation Financing National Risk Assessment Released

The Isle of Man has published its first standalone National Risk Assessment (NRA) on Proliferation Financing (PF),which provides a comprehensive assessment of PF threats, vulnerabilities and consequences across the Island, while outlining key recommendations to strengthen the national framework for preventing and mitigating PF risks.

 

This marks a significant milestone as the 2026 suite of NRAs are now concluded ahead of the Island’s MONEYVAL mutual evaluation onsite this autumn. A comprehensive understanding of money laundering, terrorist financing and proliferation financing (ML/TF/PF) risks is the foundation of an effective AML/CFT/CPF framework, and these assessments provide a robust evidence base to inform national policy, supervision and risk mitigation efforts.

The assessment finds that the Island’s overall residual risk is medium-low, reflecting strong legal frameworks, effective implementation of international sanctions, and very limited direct exposure to Countries of Proliferation Concern and other jurisdictions linked to proliferation activity and sanctions evasion.

While the likelihood is assessed as Medium Low, the consequences of any PF failure would be significant for the Island (regulatory, reputational, financial and international impacts) and are assessed as Medium.

 

PF Channels for the Isle of Man

In particular, as a small but internationally connected IFC, relevant channels include:

  • Cross-border financial flows (including payments that transit multiple jurisdictions)
  • Multi-jurisdictional legal persons and arrangements that can be used to obscure control and beneficial ownership
  • Storage/holding of funds and assets within administered entities or arrangements, including dormant funds held between stages of wider proliferation activity
  • Unwittingly holding cyber-enabled revenue generation by PF-linked actors, including the use of virtual assets
  • Association with Countries of Proliferation Concern and third countries and intermediary jurisdictions that are exploited for sanctions evasion, procurement, transhipment or payment processing in support of proliferation activity

These channels do not imply elevated domestic PF threat. The IOM has a limited association with Countries of Proliferation Concern, third countries and intermediary jurisdictions that may be exploited for sanctions evasion, procurement, trans-shipment or payment processing in support of proliferation activity. PF threats to the Island are predominantly limited and indirect, but it remains exposed through global financial channels.

 

Online Gambling

International online business models, cyber-enabled crime typologies and links to virtual assets may create indirect PF exposure, particularly where illicit proceeds (including from cyber-enabled activity) are moved through gambling channels.

 

The FIU’s 2025 typology report for Online Gambling highlights Red Flags and Typologies for ML, TF and PF, documents several PF-relevant patterns, including:

  • use of gambling accounts to launder large volumes of fiat or virtual assets stolen by DPRK-linked cyber actors;
  • links between customer wallets and addresses associated with state-sponsored hacking groups; and
  • cyber-enabled thefts of cryptocurrency from gambling platforms where the perpetrators are suspected to be acting on behalf of DPRK.

The GSC has also highlighted the risk of DPRK-linked actors exploiting international business arrangements by infiltrating companies, including IT and software providers, using false identities. Remuneration may be received in virtual assets and subsequently moved through multiple wallets, platforms and jurisdictions, or converted via intermediaries, to obscure the source of funds and facilitate wider money laundering or proliferation financing networks.

These typologies mirror the global picture described in RUSI and UN reporting, which have repeatedly highlighted DPRK’s reliance on cybercrime and virtual assets to generate foreign currency for its weapons programme.

While the gambling sector is not considered a significant direct PF vulnerability, these typologies demonstrate how online gambling platforms may be exposed to proceeds generated by proliferation-related cyber activity and sanctions evasion, particularly where virtual assets, cross-border payment flows, and complex corporate structures are involved.

 

PF Outreach

PF understanding is improving but remains less mature than ML/TF in some areas; priorities include targeted training to industry and agencies, improved PF‑relevant data, and PF‑specific typologies/red flags to support proportionate, risk‑based controls.

The PF questionnaire conducted jointly by the FSA and GSC in 2024 confirmed that while gambling operators generally have mature ML control frameworks, PF-specific understanding is less advanced, pointing to the need for continued training and guidance. The convergence of online gambling, VAs and cyber-enabled fraud typologies means that the sector will remain a priority channel for PF vigilance.

To support continued improvement in PF risk understanding, the GSC intends to undertake a follow-up PF survey to assess changes in operators' awareness, risk assessments and control frameworks since 2024. The GSC is also exploring the collection of additional targeted financial sanctions (TFS) data to enhance its understanding of sectoral risks, inform supervisory priorities, and further strengthen its risk-based approach to supervision and outreach. To minimise industry burden, these data points would be incorporated into the planned PF survey or existing regulatory returns where appropriate.

 

What should you do?

This NRA is intended to be used by industry stakeholders to inform BRAs. For businesses in the regulated sector, the need for a BRA is a requirement of the AML/CFT Codes and it must have regard to any relevant findings of the most recent NRA relating to the Island. It should also be used to assist businesses who are not regulated by the FSA or GSC but could face risks in relation to PF or other proliferation activities.

 

1.    Review and update risk assessments

Consider the findings of the PF NRA when reviewing BRAs. Consideration should also be given to the CRA and TRA and whether these require updating.

Assess PF risk exposure arising from VA products and payment channels, cross-border payments and international customer bases, cyber-enabled crime, Proliferation Countries of Concern and other higher risk jurisdictions, Complex ownership structures and international business arrangements; and relationships with third-party providers.

When updating BRAs assessments, firms should document whether identified PF-TFS exposures fall within their risk appetite, and whether existing controls sufficiently mitigate residual risk or require enhancement, recognising that a risk-based approach supports proportionate management.

It is acceptable to consider this NRA as it is published but update the overall BRA at its next formal review date, based on the nature, size and complexity of the business and its potential PF exposure.

 

2.    Review controls

Operators should review whether existing sanctions, TFS and virtual asset controls remain commensurate with their risk exposure, such as

·         sanctions screening and monitoring arrangements;

·         monitoring of wallet activity and unhosted wallet exposures; identification of blockchain addresses linked to illicit activity; and

·         oversight of payment providers facilitating virtual asset transactions.

Appropriate scrutiny should also be applied to customers, counterparties, suppliers and payment flows involving intermediary jurisdictions that may be vulnerable to sanctions evasion or concealment activities.

 

3.    Consider monitoring and training programmes

Operators should incorporate PF-specific red flags and typologies into monitoring frameworks.

Operators should also increase staff awareness and training on PF risks within their own firms, particularly how PF differs from ML and TF, and the indicators of sanctions evasion, procurement networks, and PF linked cyber activity.

 

4.    Expect continued outreach and increasing supervisory expectations regarding PF understanding and risk mitigation.

Please also continue to engage with supervisory outreach including future PF surveys, training, typology updates, and guidance updates – your contributions are extremely valuable. Maintain a proportionate risk-based approach.

Although the overall PF risk to the Island is assessed as medium-low, the consequences of a PF event would be significant and therefore require ongoing vigilance. Controls should therefore remain proportionate to the operator’s exposure while ensuring that PF risks are appropriately identified, assessed and mitigated.

 

For practical use at firm level, RUSI guidance suggests assessing PF exposure across common institutional risk categories:

  • customers;
  • products and services offered;
  • jurisdictions operated in and with;
  • transactions;
  • delivery channels used; and
  • cyber threats.

Firms may find it helpful to use these categories to structure updates to their BRA/CRA/TRA and to document how PFTFS risks are identified, assessed and mitigated within existing financial crime controls.