Report Cards Are Out: What the Latest Wave of BVI FSC Inspection Findings Reveals

Final inspection reports have arrived at regulated entities across the British Virgin Islands. The findings follow a pattern. Here is what that pattern means, and what comes next.

Summer has arrived. Schools are closed. Report cards have been issued. And for many regulated entities in the British Virgin Islands, another type of report card has also arrived: the final inspection report from the Financial Services Commission.

Unlike school, there is no honour roll, no perfect attendance award, and no opportunity to hide the report before anyone sees it. There is only what it says, and what your firm does next.

As regulatory counsel and compliance consultants, we have observed a significant increase in the number of licencees receiving final inspection reports over recent months. While every inspection is unique, there are recurring themes which continue to appear across the industry.

What makes those themes significant is not simply that they appear. It is that they are interconnected. A weakness in one area rarely stays contained. It creates pressure across the framework in ways that are not always visible until the report arrives.

Understanding what the FSC is finding, and why the findings compound each other, is the starting point for an effective response.

What the Reports Are Showing

1. Institutional Risk Assessments

Some firms do not have an Institutional Risk Assessment in place at all. Others have an IRA, but it does not adequately address the requirements of the Anti-Money Laundering Regulations and Anti-Money Laundering and Terrorist Financing Code of Practice.

Common issues include: failure to adequately identify and assess relevant ML/TF/PF risks; inadequate methodology; lack of documented rationale for risk ratings; failure to update the IRA when circumstances change; and IRAs treated as a static document rather than a living risk management tool.

2. Customer Risk Assessments

Customer risk assessments continue to be a significant area of concern. In many instances, the risk factors required by legislation are not properly incorporated into the customer risk assessment methodology. As a result, customers may be incorrectly risk-rated.

An incorrectly rated customer often results in the wrong level of customer due diligence being applied. The deficiency does not stop at the risk assessment itself. It immediately impacts customer onboarding, ongoing monitoring, and transaction monitoring.

3. Ongoing Customer Due Diligence

Many firms have documented procedures for conducting ongoing customer due diligence reviews. The difficulty is that what is written in the manuals and what is happening in practice are often two different things.

Common issues include: review frequencies that do not align with internal procedures; required information not being refreshed during periodic reviews; documentation that does not adequately evidence the review process undertaken; and updated customer information not being independently verified where required.

A related issue is the failure to perform risk reviews as part of the ongoing due diligence process. Updating a passport or utility bill does not automatically mean a customer review has been completed. Firms must also consider whether the customer’s risk profile has changed and whether the existing risk rating remains appropriate. 

4. Suspicious Activity Reporting

Suspicious activity reporting remains an area where deficiencies continue to emerge. In some cases, policies and procedures do not adequately reflect legislative requirements. In others, firms have not maintained adequate records to demonstrate decisions made when business relationships were refused or declined due to suspicion.

A common observation is the failure to maintain comprehensive declined or refused business registers.

5. Customer Due Diligence and Transaction Monitoring

Many inspection findings ultimately trace back to deficiencies in customer due diligence. A firm can only assess risk based on the information it collects. Where critical information is not obtained during onboarding, the quality of the entire AML/CFT/CPF framework becomes compromised.

Transaction monitoring is often where earlier deficiencies begin to reveal themselves. Without a properly developed customer profile, meaningful transaction monitoring becomes extremely difficult.

The Domino Effect

One of the most important patterns we observe across inspection reports is that AML/CFT/CPF compliance cannot be viewed in silos.

What began as a customer risk assessment issue can quickly impact onboarding, ongoing due diligence, transaction monitoring, and suspicious activity reporting. The finding in one area is rarely isolated. It is the visible point of a chain reaction running through the framework.

What the FSC Expects to See

The requirements themselves are not new. What has changed is that examination teams are now testing whether practice matches documentation.

The FSC expects an IRA that reflects current business circumstances, contains documented methodology, and carries evidence of updates when those circumstances change. It expects customer risk assessments that incorporate legislatively required risk factors, with documented rationale for each rating assigned. It expects ongoing CDD documentation that evidences the review process itself: not simply updated identification documents, but a record that demonstrates the review was conducted, the risk profile was considered, and the risk rating was confirmed or revised. It expects SAR policies that reflect current legislative requirements, and a maintained declined business register that records decisions made when relationships were refused or declined due to suspicion.

These are not aspirational standards. They are the baseline against which final reports are being issued.

Where to Begin

If your firm has received a final inspection report, the following provides a structured starting point.

Review your IRA against current business circumstances and legislative requirements. Assess whether the methodology is adequate, whether relevant ML/TF/PF risks are identified, and whether the document has been updated to reflect material changes. Evidence to show: updated IRA with documented methodology, version history, and sign-off.

Audit your CRA methodology against the applicable legislative risk factors. Identify whether required factors are incorporated and whether existing customer risk ratings are supportable. Evidence to show: updated CRA template with references to legislation and documented rationale for each risk rating.

Test your ongoing CDD process against your documented procedures. Pull a sample of files and check review frequency, information refresh, independent verification, and evidence of risk profile consideration. Evidence to show: file review log with completion dates and reviewer sign-off.

Review your SAR policies for alignment with current legislative requirements. Assess whether declined business decisions are being documented adequately. Evidence to show: updated and version-controlled SAR policy, and a maintained declined business register with complete entries.

Trace a complete customer file from onboarding through to ongoing monitoring and transaction monitoring.Identify where the chain breaks down. Evidence to show: a clean, complete file demonstrating the full compliance activity across the relationship lifecycle.

How Gold Leaf Can Help

Receiving a final inspection report is not the end of the process. In many respects, it is the beginning. The report identifies what the FSC found. What it does not tell you is how to respond in a way that is credible, proportionate, and structured to withstand continued scrutiny.

We assist regulated entities in the BVI with developing practical remediation plans; reviewing and updating AML/CFT/CPF policies and procedures; Institutional Risk Assessments; Customer Risk Assessment methodologies and tools; ongoing monitoring frameworks; governance and reporting processes; and acting as regulatory consultants throughout the remediation exercise.

Because in compliance, just like school, the goal is not simply to pass the test. It is to understand the lesson well enough that you do not have to repeat the class.

If your firm has received a final inspection report and you would like to discuss your options, contact Gold Leaf for an initial conversation.