The “technology positive” Handbook
The Guernsey Financial Services Commission published an updated Handbook on Countering Financial Crime on 5 May 2026, alongside a feedback paper responding to its consultation on Supporting Growth with Digital Finance. It is the first phase of the Commission’s wider response and forms part of its Digital Finance Initiative.
The press release leads with “smarter use of technology in compliance” and the framing throughout is permissive — clarity, encouragement, the long-hoped-for shift from “technology neutral” to “technology positive”. Most of that’s fair. Manual measures remain perfectly acceptable. Electronic verification, digital signatures and AI-assisted tooling are now expressly recognised. Terminology has been aligned to the Electronic Transactions (Guernsey) Law, 2000. Beneficial ownership registers, including the Guernsey Registry, are flagged as a useful validating source. The Commission has confirmed it won’t define AI, won’t endorse vendors, and won’t require firms to retrospectively re-do existing risk assessments.
What the press release doesn’t mention is that there are also four new or amended red-box Commission Rules in the document — one in Chapter 3, three in Chapter 5. The feedback paper notes that paragraphs 3.70 to 3.73 are “guidance, not rules”, which is true. It’s also doing a lot of heavy lifting, because it leaves the impression that the whole update is guidance-only. It isn’t. The framing is technically accurate but slightly economical. Worth knowing what’s actually in there.
The new and amended Commission Rules
Rule 3.69 (amended). The existing rule on risk-assessing new and developing technologies has had four words added to it: “in advance of its deployment”. Firms now must complete the assessment before the technology goes live, expressly. Sounds minor; isn’t. Implicit obligations have a habit of becoming explicit ones at exactly the point a regulator wants to enforce against them. If your system is live and your assessment is dated later, you’ve got a problem. There is allowance for this though — it has to be addressed the next time the risk assessment is due. That means at the very least flagging the potential gap now and actually addressing it sooner if, under the risk-based approach, the risks are significant. You can’t just entirely kick it down the road for later.
Rule 5.28 (new). When undertaking a technology risk assessment of an electronic verification system, firms must document the identity data and information collected, the nature of the data sources to be used, and how their authenticity is assessed by the system. In short — what does it do, where does the data come from, how does it know the data is real. Three questions, all answerable in writing.
Rule 5.33 (new). The technology risk assessment must consider and document the measures within the EVS that address the risk of identification data being forged or tampered with — including, expressly, deepfakes and synthetic identities. The assessment must be reviewed at least annually. This comes with a raft of guidance on how to achieve it that in all honesty probably has not been entirely met in a lot of firms’ current risk assessments. At the very least, a review and conclusion that demonstrates compliance would be a good idea for CMPs and/or Independent Reviews done on a thematic basis.
Rule 5.36 (new). Firms must ensure that sufficient customer records to comply with Paragraph 14 of Schedule 3 and the rules in Chapter 16 are available to, and readily retrievable by, the firm for the minimum retention period. EVS data can often live with the vendor; this rule makes the firm expressly responsible for ensuring it can be produced for the full retention period regardless. If it’s not in house and producing evidence, then vendors need to be providing evidence of what was done and how. Outsourced EVS arrangements without proper data-extraction or retention provisions are now an obvious gap.
Rule 5.38 (new). CDD policies, procedures and controls, and the Compliance Monitoring Programme, must include the firm’s use of electronic verification, where used. If you use EVS but your manual doesn’t say so, that’s now an express gap. If you do and your CMP isn’t explicitly testing electronic verification, that’s also a gap.
Guidance to be taken seriously
Sitting alongside the rule changes is a substantial body of new Chapter 3 guidance covering what a credible technology risk assessment looks like — robustness, resilience, security, supplier risk, and the implications of faster transaction times for the ability to intervene where suspicion arises. The implementation expectations now cover data governance, user testing, training for both users and the compliance function reviewing output, system testing before and during deployment, and adequate investment in supporting infrastructure. The Commission’s Cyber Security Rules and Guidance is now drawn into the financial crime frame too.
Yes, it’s guidance. The feedback paper is right about that. It will be read by supervisors as expectation, because that’s how guidance has always worked here. The Cyber Rules and Guidance also contain Rules that must be complied with — and these are now being linked to financial crime risk management for the first time.
Risk-assessing the technology is the easy half. Planning the implementation, training the people who will use it and the people who will challenge its output, and proving you did all of this — that’s where most existing assessments will fall short.
Chapter 8 also picks up a new sub-paragraph at 8.7(e) recognising AI as a means of identifying credible independent references about a customer or beneficial owner. The word doing the work is “credible”. AI generating something that looks like a reference isn’t the same thing as AI producing one a supervisor will accept.
What this means for boards
Nothing here requires urgent remediation, but it does need a proper look and a gap analysis drawn up.
If you use electronic verification, your existing technology risk assessment almost certainly doesn’t address Rules 5.28, 5.33, 5.36 and 5.38 as drafted explicitly in a mapped way, as they are new. Those are red-box gaps. The CMP point in 5.38 and the record-retention point in 5.36 are the easiest to fix but also the easiest to overlook — both should be straightforward to evidence once the policy and contractual positions are right.
If you’ve been deferring electronic verification, digital signatures or AI-assisted tooling on the basis of regulatory caution, that justification just got weaker. Manual is still permitted, but the firm relying on it should be able to articulate why on a risk basis, rather than treating the question as settled.
And in either case, the new Chapter 3 guidance has moved the bar on what a credible technology risk assessment and implementation plan looks like. Expect supervisors to test it. With the data protection angle running alongside, the DPIA process should be brought into the same workflow for efficiency on new technology.
The strategic direction is clear. Technology adoption is now expected, the supervisory presumption has flipped, and there are five new or amended red-box rules to evidence against. Firms that read the press release and assume nothing much has changed will find out the hard way.
ápeiron is bringing out an AI- and automation-enhanced Governance, Risk and Compliance suite for GFSC-regulated firms, designed for precisely this kind of regulatory shift — more on that shortly.
ápeiron Limited works with GFSC-regulated firms on AI-enhanced compliance, technology risk assessments, and the design of compliance frameworks that hold up to scrutiny. If the Handbook update has prompted questions you would like to talk through, do get in touch.
Tommy Murphy FCCA | Director, ápeiron Limited | tommy.murphy@apeiron.gg | apeiron.gg
Traditional expertise. AI-powered delivery.