Advisers, brokers face expanded scrutiny under the OMNI-Risk Return
The end-of-year ramping up of financial services regulation got an early start this year with an end of September invitation to stakeholders to share their views on the planned OMNI-Risk Return. This cross-sector requirement replaces the daunting OMNI Conduct of Business Return (OMNI-CBR) which was widely condemned as being too expansive for most financial institutions.
The good and ugly of digital returns
Any celebrations over this change will dissipate as you unpack the emerging digital reporting landscape. FSCA Communication 19 of 2025 required seven pages for its update on the implementation of the FSCA Integrated Regulatory Solution (IRS) and the roll-out of the OMNI-Risk Return. Your writer’s first observation is that this return is just one part of an evolving compliance load to be delivered via IRS. So, although the initial pressure of OMNI-CBR is off the table, the path opens for any number of new digital reporting requirements.
In keeping with tradition, the communication contains links to countless resources which are accessible from the regulator’s dedicated OMNI-Risk Return page. Notables include the 15-page explanatory guide on the return (Annexure B) and a 12-section excel spreadsheet return template (Annexure A). NB, the final report will not be presented in excel, but in the IRS. Readers will have to review these documents plus a handful of others to inform their written comment on the contents of the OMNI-Risk Return by latest 30 November 2025. As a brief foreshadowing of emerging reporting complexity, the template includes 46 definitions that compliance gurus will have to wrap their heads around before tackling the return.
Get your comments in before 30 November
The FSCA said it will engage further on the details of the OMNI-Risk Return via various platforms. First and foremost, they have shared a high-level explanatory webinar on YouTube setting out the background, context and objectives of the OMNI-Risk Return. They also plan to host three virtual workshops via Microsoft Teams to discuss different sections of the OMNI-Risk Return, with opportunity for questions. The live sessions are limited to 250 attendees each, but recordings will be shared. And you will have to attend or watch all three 2-hour-long workshops to cover the 12-sections in the OMNI-Risk Return template.
“Industry associations and individual financial institutions that wish to arrange additional sessions to clarify specific issues before finalising their written submissions are welcome to reach out to the FSCA with such requests,” wrote FSCA Deputy Commissioner, Farzana Badat. “But in light of timing pressures, individual requests will be considered and prioritised based on the availability and capacity of relevant FSCA team members.”
How we got to this point
It makes sense to step back and reflect on how the industry got to this point. On 6 June 2025, the FSCA published FSCA Communication 12 of 2025 containing an update on the roll-out and implementation of the cross sectoral OMNI-CBR for financial institutions. This return had been introduced by the FSCA between 2021 and 2023 as an integral part of its future approach to supervisory data collection. Communication 12 changed course to align this and other data collection initiatives with the authority’s “multi-year, organisation-wide digital transformation strategy … [underpinned by] the procurement of the IRS, a supervisory technology platform.”
According to the FSCA, “A significantly revised and streamlined version of the OMNI-CBR, namely the OMNI-Risk Return, will serve as the foundational data source feeding into the IRS’ automated risk model in future.” The new supervisory risk model and OMNI-Risk Return are planned during Phase 2 of the FSCA’s overall implementation roadmap for the IRS. The roadmap spans three phases from April 2024 until August 2026. The consultation and engagement on the data contained in the OMNI-Risk Return forms a critical part of Phase 2, with an industry pilot of the overall IRS scheduled for mid-2026, and ‘go live’ for September.
Some considerations for advisers
Your responses to the 12-section OMNI-Risk Return will allow the FSCA to assign your firm a comparable risk score and benchmark you against peers. This rating will be revised at each reporting cycle, with frequency currently envisaged as annual, though it may change as the supervisory model evolves. The regulator’s intention is to use standardised data to identify outliers, track sectoral patterns and intervene early where risks are elevated. Against this backdrop, advisers should pay close attention to the following focus areas within the return.
Section 3 of the OMNI-Risk Return probes governance structures and corporate culture. You will be asked to disclose the diversity and independence of your governing bodies, the design of performance incentives and how quickly non-compliance incidents are remediated. The frequency of professional liability or cyber-related claims will also form part of the risk picture. Weaknesses in these areas could elevate your risk rating, while strong governance practices may help reduce it.
Next level KYC
The FSCA requires that you segment customers by income levels, legal entity types and politically exposed person (PEP) status. Information requested under section 4 will allow the regulator to assess both customer vulnerability and potential Anti-Money Laundering and Combating the Financing of Terrorism (AML-CFT) exposures. A high proportion of low-income or mass-market clients, for example, may increase conduct risks, while significant PEP exposure raises reputational and financial crime risks.
How you manage and allocate customer funds is under the spotlight in section 5 with questions about the timeliness of fund allocations, the extent of offshore and high-risk transactions and levels of arrear retirement fund contributions. Some of these measures apply more directly to retirement funds and administrators, but the principle is clear: weak controls over clients’ assets raise concerns about customer treatment and systemic risk exposures.
Technology and data are another critical focus in the return. In section 10, the FSCA wants details on systems downtime, IT governance findings, cyber incidents and data breaches. Firms must inform the regulator of both the occurrence of incidents and their customer impact. Institutions with repeated IT audit findings, weak remediation practices or frequent data breaches can expect an increased risk score. By contrast, those demonstrating resilience, sound data governance and robust cyber defences will be seen more favourably.
Framing your response to OMNI-Risk
The best way to get to grips with the OMNI-Risk Return will be to go through the 12-section return while reading the Explanatory Guide to the OMNI-Risk Return (Annexure B). This guide is a great reference point for your review of the proposal and subsequent feedback to the regulator.
It contains an introduction to the harmonised supervisory risk model; an explainer on how the FSCA will use data collected through the return; comment on frequency of reporting; and more. “The publication of these documents signals the commencement of a two-month consultation period in respect of the data that will be requested through the OMNI-Risk Return,” the FSCA wrote.
Reading for meaning, the two-month consultation period is not about whether or not this return becomes part of your compliance load, but rather about the data and information the report will demand from you. The official comment period on the OMNI-Risk Return opens from 1 October 2025, but you may wish to hold your response until after the aforementioned virtual workshops take place on 3, 4 and 10 November.
The comment window closes on 30 November, but you have to submit your feedback using the FSCA’s response template. As the regulator explains: “Any comments submitted in any other format outside the aforementioned template will not be considered.” The FSCA will publish further detail on the system pilot and implementation timelines early in 2026.
Writer’s thoughts:
The OMNI-CBR was deferred in part because smaller firms pushed back against the rising compliance burden, but the new OMNI-Risk Return looks just as daunting. Your thoughts? Please comment below, interact with us on X at @fanews_online or email us your thoughts [email protected].
