General Overview: Audit Firms, BEC Schemes, Board Proxies & Other

Considerations for Licensees in Selecting an Audit Firm

Various stakeholders, including clients, investors, shareholders and regulators, rely on audited financial statements and their accuracy for investment and/or regulatory purposes. 

Due to the importance of audited financial statements, and the reliance placed on them, the Cayman Islands Monetary Authority (“the Authority”) is using this circular to highlight a few areas that financial service providers should consider when engaging an audit firm. This list is not exhaustive: 

• Experience – Make sure that your auditor has experience in your sector and lines of business. Just because an audit firm has funds experience does not necessarily mean it will have experience in auditing insurance captives and vice versa. You should ask for references from other companies they have audited that are similar in nature and scope to yours.
• Staffing – Enquire about the staffing levels and whether key senior staff are resident on Island, in addition to any assistance that might be utilised offshore. This is particularly important for good communication, especially in situations where face-to-face meetings may be required and you want issues explained in non-technical jargon. Having staff that understand Cayman regulatory requirements and nuances is also important in explaining why things are done in a particular way.
• Independence – The audit firm/auditor must be independent of the Licensee in order to maintain objectivity. For example, it will be inappropriate and not permitted, for a Licensee to appoint an audit firm that is a closely related entity, or has common ownership with the licensee, to audit its financial statements.
• Fee – The cheapest is not always the best, and neither is the most expensive. Compare and contrast but if it appears too good to be true, it most likely is. If an audit firm is charging significantly lower fees than its peers, you have to ask what are the others doing that this firm is not doing. The quality of the audit and the engagement process matters.
• Reputation – The reputation of your auditor matters in terms of whether the firm is tried and tested. Ask the right questions and request references and call such references if required. Reputation and name are not necessarily one and the same. Asking the right questions and seeking references will give an indication of the reputation irrespective of the name.
• Peer Reviews – Audit firms tend to be subject to peer reviews. The purpose of these reviews is to verify that audits are being performed according to the required standards. In the Cayman Islands, the Cayman Islands Institute of Professional Accountants requires audit firms to carry out independent peer reviews. Do not hesitate to ask your audit firm for their latest Peer Review results 

Business Email Compromise Schemes

On 6 May 2016, the Authority issued a Public Notice on its website to alert Financial Service Providers and Licensees to the increasing cybercrime activity, especially business email compromise ("BEC") schemes. Cybercriminals use BEC attacks to impersonate business executives, thereby appearing to be a legitimate source, and request a transfer of funds to fraudulent accounts. The objective of the Public Notice in 2016 was to bring to Licensees’ attention the prevalence of BEC Schemes and cybercrime, with a view to reducing the possibility of financial services businesses being used for such crimes

Unfortunately, the Authority has seen a few instances of successful BEC attacks on its Licensees over the last twelve months. In addition to the financial harm caused to the Licensee, funds acquired from these scams can be laundered or used to sponsor terrorists, exposing Licensees and the jurisdiction to financial and reputational damage. 

Financial Service Providers and Licensees should be vigilant and carefully scrutinise all emails; especially ones that might involve a change in contact details and other transactional instructions such as fund transfer and redemption requests. Financial Service Providers and Licensees should have robust internal controls in place, not only to verify identity, but also to review and approve transactional instructions by email. Some of the following controls/procedures should be considered, as appropriate: 

• call-back;
• seeking further information and proof of identity in addition to the email;
• restricting payments of funds from client accounts to previously identified and verified accounts and never to third parties; and
• meetings, especially where large transfers are involved

Where a Licensee suspects that it has been a victim of a BEC attack, or any other cybercrime, an incident report should be filed with the Financial Crime Unit of the Royal Cayman Islands Police Service and the Financial Reporting Authority, immediately. Licensees should also notify the Authority and complete the Authority’s Cyber Incident Report.

It is the responsibility of the board and senior management of Financial Service Providers and Licensees to ensure that, within their institutions, there is effective and comprehensive approaches to cybercrime. Simply having policies and procedures in place is not enough. The board and senior management also have the responsibility to ensure that appropriate policies and procedures are implemented and embedded, and subject to independent review, testing and updates are completed as appropriate.

The Use of Proxies at Board Meetings

While the Authority recognises the legitimate use of proxies at board meetings, the overuse, misuse and/or possible abuse of proxies have raised concerns.

The Authority has encountered situations where individuals are carrying out multiple board functions, while acting as proxies, with no clear indication of how potential conflicts of interest within this arrangement have been resolved. In some cases there has been no proxy form or other written documentation to evidence the authorisation of the proxy. 

The role and responsibilities of the board of directors, as the governing body, is pivotal to any Licensee and Financial Services Provider. Accordingly, the Authority performs a rigorous review process to ensure that only persons who are fit and proper are approved as directors. As part of the approval process, the Authority carefully considers the individual’s capability and competence, as well as the collective suitability of the board. The capability aspect takes into consideration the time and effort the individual is willing and capable to give to the role of board director.

The components of the corporate governance framework of Licensees, including, in particular directors’ attendance at board meetings, is a key aspect of the Authority’s consideration when assessing the appropriateness and robustness of the governance framework. The roles and responsibilities of board directors should not be abrogated, and while the Authority recognises the usefulness of the occasional use of proxies it will not accept the misuse and abuse of proxies by board of directors as well as other relevant service providers. 

Approval by the Authority Prior to Changes in Ownership and Control

Shares of Licensees are not to be issued or transferred without the Authority’s prior approval. This is a critical feature of all the regulatory laws. 

The Authority has encountered a number of instances where Licensees, or third parties acting on behalf of Licensees, have failed to apply for approval for a change in ownership and control, or have applied after the transfer of shares and ownership has taken place. This is in breach of the applicable Laws, and the Authority will take action if a change in control or ownership has taken place without the necessary approval being sought and received from the Authority.

The ‘Regulatory Policy: Criteria for Approving Changes in Ownership and Control’ (“RP: Changes in O and C”) sets out the policy the Authority will apply in assessing changes in ownership or control. The criteria listed in RP: Changes in O and C apply to a change in direct ownership of a Regulated Entity/Licensee as well as a change in beneficial ownership. This wording stipulates that the criteria apply to changes at the level of the Regulated Entity, its parent, or any entity directly or indirectly owning the parent.

It is the responsibility of Licensees and/or those acting on their behalf, to carry out adequate research and reviews prior to submitting an application to the Authority, to ensure that the organisation/group structure and details of Ultimate Beneficial Owners (“UBOs”) are accurate and comprehensive. The Authority has received a number of change in ownership and control applications where neither the Licensee nor the relevant party has carried out their own due diligence on the structure or the UBOs. Failure to do so not only extends the amount of time it takes the Authority to review and approve such applications but places the Licensee at significant reputational risk for proposing changes to group structure where the UBO is unknown to them. Licensees and persons acting on their behalf are therefore required to carry out their own due diligence and submit comprehensive applications, including the group’s whole structure, if part of a group, and all UBO information.  

Health Insurance Statistics

Historically the Authority reported aggregate statistics for all Class A Insurers providing health insurance. In an effort to present statistical information in a form that is more meaningful to its users and audiences, the Authority has made a decision to report health insurance figures of class ‘A’ insurer licensees’ separately under two categories, namely, “domestic health” and “international health”. ‘Domestic health’ reports figures pertaining to health insurance coverage offered to persons who are ordinarily resident in the Cayman Islands, whereas, ‘International health’ reports figures pertaining to international health insurance coverage offered to persons residing outside the Cayman Islands, but through Cayman based companies. 

In view of the above, the health insurance statistics have been restated for the period 2011 – 2017 to ensure that there can be no misinterpretation of what constitutes domestic health and international health.

The Authority would like to remind the public that the reported health insurance statistics are aggregated industry statistics for class ‘A’ insurers and, therefore, should be interpreted accordingly.