This circular sets out the findings by the Cayman Islands Monetary Authority (“CIMA” or “the Authority”) from on-site inspections (“inspections”) conducted on Registered Persons (“RPs”) as defined pursuant to schedule 4 and section 5(4) of the Securities Investment Business Act (“SIBA”) for the period 24 October 2020 to 31 December 2021. The scope and methodology for the Inspections are set out at Annex 1.
The Authority has identified key areas of weaknesses across anti-money laundering (“AML”), countering the financing of terrorism (“CFT”), countering proliferation financing (“CPF”) and targeted financial sanctions (“Sanctions”) (together, “AML/CFT”) compliance. The Authority continues to remind all RPs of their regulatory obligations to adhere to legislation, regulations, regulatory rules and/or statements of guidance, and to ensure that their own policies, procedures, systems, and controls are of an appropriate standard.
Notable deficiencies were found relating to:
RPs should closely consider the findings in this Circular and ensure that their AML/CFT policies, procedures, systems, and controls are always of the appropriate standard, noting that they may be subject to an Inspection by the Authority. The Authority acknowledges the remediation efforts undertaken by RPs.
More broadly, all Financial Service Providers (FSPs) may use this Circular to enhance their AML/CFT compliance. In particular, FSPs should focus on strengthening their regimes with respect to policies and procedures, ongoing monitoring, employee training and oversight of compliance functions. In doing so, FSPs can reduce the risks of their businesses being abused by criminals.
Executive Summary of the Inspections
This Circular derives from two sets of data, which has been separated as overall findings per RP inspected, and CDD and risk assessment findings, across files reviewed.
Overall Findings Per RP Inspected
A review of the RPs’ policies and procedures and the adequacy and effective implementation of their AML/CFT programmes including outsourced AML/CFT functions revealed the following weaknesses:
Identified areas | % of RPs inspected with indicated weaknesses |
Customer identification, verification and ongoing monitoring | 79% |
Risk-based approach | 62% |
Internal reporting | 59% |
Sanctions compliance systems and controls | 43% |
Independent periodic AML/CFT audit to evaluate system controls | 38% |
Periodic review of procedural manuals to incorporate changes in the Cayman Islands regulatory framework | 34% |
Record keeping | 25% |
Employee screening | 11% |
Summary of CDD and risk assessment findings across the customer files reviewed
A review of the customer files revealed the following weaknesses, specifically for RPs:
Detailed Findings of Inspections
The AMLRs, and AML Guidance Notes require all RPs to put in place AML/CFT policies, procedures, systems, and controls appropriate for the nature, size, and complexity of their businesses.
The Inspections conducted considered each element of the AMLRs and AML Guidance Notes as set out below in the detailed findings of this Circular.
AML/CFT policies and procedures
Regulation 5(a) of the AMLRs and Part II section 2(b) of the AML Guidance Notes outlines the AML/CFT systems and programmes to be developed and maintained by all RPs.
.Based on the Inspections conducted, RPs lacked appropriate policies and procedures as follows:
Policies and procedures | % of the RPs inspected |
In respect to customer identification, verification and ongoing monitoring | 79% |
For the adoption of a risk-based approach in implementation and monitoring | 62% |
Regarding internal reporting | 59% |
Relating to sanctions compliance systems and controls | 43% |
In respect to implementation of a risk-based independent periodic AML/CFT audit to evaluate system controls | 38% |
Outdated procedural manuals that were not periodically reviewed to incorporate changes in the Cayman Islands regulatory framework | 34% |
In respect to record keeping | 25% |
Regarding the requirement to screen employees at the time of recruitment, periodically thereafter, i.e., at least annually and where a suspicion has arisen as to the conduct of the employee | 11% |
RPs are expected under the AMLRs to maintain and periodically review their procedure manuals. The frequency of review may be based on the size, nature, and complexity of the RP; however, it is expected to be done at least annually or where there are significant changes to the AML/CFT systems and obligations.
RPs are further expected under the AMLRs to conduct a gap analysis between their group-wide AML/CFT programmes and the Cayman Islands AML/CFT legislative and regulatory requirements to ensure that they, at a minimum, comply with the applicable Cayman Islands requirements. The gap analysis is key for those entities that are not domiciled in the Cayman Islands, and is expected to be conducted before relying on the group-wide programmes and as and when there are any changes to applicable AML/CFT regulatory obligations or group-wide programmes. Where gaps are identified during the gap analysis, RPs are expected to address those by making amendments to their AML/CFT programmes, as appropriate.
CDD and ongoing monitoring programmes
Regulation 12 of the AMLRs and part II sections 4 and 16 of the AML Guidance Notes outline the customer identification, verification, and ongoing monitoring procedures.
Based on the Inspection results, 75% of the RPs indicated weaknesses in their CDD and ongoing monitoring programmes.
Specifically, 36% across files reviewed lacked CDD documentation such as:
Further, 19% across files reviewed lacked evidence to demonstrate that the RPs were implementing adequate ongoing monitoring procedures. For example, the following gaps were noted:
RPs are expected under the AMLRs to obtain all relevant information or data from reliable sources to evidence that they have identified and verified the beneficial owners and other authorised persons or relevant parties who have an effective control over the customer.
RPs are also expected under the AMLRs to implement adequate ongoing monitoring systems and controls which will enable them to update CDD records as determined by the customer’s assigned level of risk or on occurrence of a triggering event, whichever is earlier.
Employee training and awareness
Regulation 5(c) and (d) of the AMLRs and part II section 10(E) of the AML Guidance Notes also outline the AML/CFT employee training and awareness guidance and/or requirement.
Based on the Inspection results, 66% of the RPs indicated weakness in their AML/CFT employee training and awareness programmes. Specifically, gaps noted included the following:
Oversight of the compliance function
Regulation 3(1), 5(e) of the AMLRs, and part II section 2(C), (2) and (5) of the AML Guidance outline the requirements to designate a person at the managerial level as the AMLCO who periodically reports directly to the Board or equivalent.
As noted in the executive summary, 53% of the RPs inspected appeared to lack a comprehensive corporate governance framework to effectively monitor the RP’s AML/CFT compliance. For example, the following deficiencies were noted:
Under the AMLRs, the RP is ultimately responsible for complying with the applicable AML/CFT obligations. Therefore, the Board or its equivalent is expected to provide effective oversight of the RP to monitor its compliance with the laws and regulations of the Cayman Islands. Such oversight is an important part of setting a culture of compliance from the top-down.
Independent AML/CFT audit function
Regulation 5(a)(ix) of the AMLRs and part II Section 10(b) of the AML Guidance outline the requirements for putting in place an appropriate effective risk-based independent audit function to perform periodic AML/CFT audits to evaluate the RP’s AML/CFT systems or controls.
From the Inspections conducted, 47% of the RPs indicated the following gaps in relation to their AML/CFT Audit Function:
Under the AMLRs, RPs are expected to put in place an appropriate effective risk-based independent audit function proportionate to the nature, size, and complexity of their business activities. An AML/CFT Auditor is also expected to be operationally independent of the underlying activities and the related internal control processes. In addition, the AML/CFT periodic audits are expected to assess all RP’s relevant policies, procedures, systems, and controls in line with the regulatory requirements.
Outsourced AML/CFT compliance functions
Regulation 3(2) of the AMLRs and part II sections 2(C), (10) (12) (13) (14) and section 10(C) of the AML Guidance Notes set out the requirements and/or considerations before and/or after placing reliance or outsourcing/delegating the performance of the RP’s compliance function
Based on the Inspection results, 45% of the RPs indicated weaknesses in their delegation/outsourcing frameworks including:
RPs are ultimately responsible for compliance with the applicable requirements under the AMLRs. Therefore, it is essential that the Board or equivalent and/or senior management has in place a comprehensive outsourcing framework and provides adequate oversight for all the outsourced material AML/CFT functions.
Internal reporting procedures
Regulation 34 of the AMLRs and part II section 9 of the AML Guidance Notes also outline the requirements for internal reporting procedures.
Based on the Inspections, 42% of the RPs indicated weaknesses in their internal reporting procedures including:
Under the AMLRs, RPs are required to put in place adequate internal reporting procedures in line with the Cayman Islands regulatory framework including the designation of an independent MLRO/DMLRO.
Assessing risk and application of a RBA
Regulation 8 of the AMLRs and part II section 3 of the AML Guidance Notes outline to RPs how to assess risk and apply a RBA relative to their identified AML/CFT risks.
As indicated in the summary of overall findings, 42% of the RPs inspected showed weaknesses in their assessment of risk and application of a RBA. Specifically, the RPs lacked the following:
In addition, 21% of the files reviewed revealed deficiencies including the following:
RPs are expected under the AMLRs to document the RBA including implementation and monitoring procedures and updates to the RBA. Accordingly, the documentation of the relevant RBA policies, procedures, review results and responses should enable the RP to demonstrate to the Authority:
Record keeping
Regulation 31 of the AMLRs outlines the requirements for record keeping procedures to be maintained by the RPs. Further, Part II section 8(E) of the AML Guidance notes reiterates that RPs shall ensure that those records will be available to the Authority on request.
The Inspections conducted revealed that 28% of the RPs had weaknesses in their records management system. Specifically, the RPs failed to:
RPs are required under the AMLRs to ensure that all their records are maintained in line with the regulatory requirements and can be made available to the Authority on request, and to the FRA or law enforcement authorities, in accordance with the relevant provisions.
Sanctions compliance
Regulation 5(a)(v) and (viiib) and part II sections 13, 14, 15 of the AML Guidance Notes outline the requirements for sanctions compliance policies, procedures, systems and controls.
For the RPs inspected, 17% across files reviewed indicated weaknesses in gathering and maintaining sanctions screening documentation to evidence compliance with sanctions obligations applicable in the Cayman Islands. Specifically, gaps noted included:
Under the AMLRs, RPs are required to screen their customers and/or relevant parties or transactions to determine whether they are conducting or may conduct business involving any sanctioned person or person associated with a sanctioned person/country. Where there is a true match or suspicion, the law requires that RPs shall take steps that are required to comply with the sanctions obligations including filing of compliance reporting forms to the FRA. Additionally, RPs are required to file a SAR with the FRA, if they discover a relationship that contravenes a sanctions order or a direction under any applicable legislation, and document all the actions that were taken to comply with the sanctions regime, and the rationale for each such action.
EDD measures
Regulations 17, 27 and 28 of the AMLRs and part II section 6 of the AML Guidance Notes also outline the nature and extent of EDD measures that should be applied where AML/CFT risks are higher.
For the RPs inspected, 3% across files reviewed had no documented evidence of the nature and extent of EDD measures performed including:
Under the AMLRs, where the risks of AML/CFT are higher, or in cases of unusual or suspicious activity, RPs are required, to have in place EDD measures that are well documented and consistent with the risks identified
SDD measures
Regulations 21 and 22 of the AMLRs and part II section 5 of the AML Guidance Notes outline the criteria for applying SDD measures for low-risk customers.
The Inspection results revealed that 1% across files reviewed lacked documented evidence of adequate SDD policies and justification for the application of SDD measures for low risk customers.
Pursuant to the AMLRs, the Authority expects the RPs to document the basis for application and implementation of SDD measures in line with the Cayman Islands regulatory framework.
Conclusion and Recommendations
The Inspections indicated that RPs have concerning weaknesses in the implementation of the RPs’ policies and procedures with respect to CDD and ongoing monitoring, employee training and awareness, the oversight of the compliance function, internal reporting, assessing risk and application of a RBA, outsourcing, audit function, and records management. The Authority has issued requirements to the inspected RPs and expects that they will address identified deficiencies in a timely and thorough manner. The Authority is also taking enforcement action where appropriate and proportionate.
The Authority continues to expect that all RPs will take note of these findings and act to ensure that their own AML/CFT compliance frameworks meet the standards prescribed and periodically assess their AML/CFT compliance programmes to ensure that they are appropriate for the nature, size, and complexity of their business.
The Authority will continue to promote its supervisory mandate through both offsite monitoring and onsite inspection processes. All FSPs are reminded that any breach of a law, regulation or rule or non-compliance with a statement of guidance may result in an enforcement action, which can also include or be in addition to the imposition of an administrative fine for any breach of the AMLRs.
References
Annex 1: Scope and methodology for the Inspections
This Circular is based on the inspection findings of fifty-three (53) RPs whose final reports were issued between 24 October 2020 and 31 December 2021.
The percentages for the overall findings per RP in the executive summary of this Circular are expressed as out of those fifty-three (53) RPs unless otherwise stated. The table below shows the services offered by these RPs analysed:
Service(s) offered by the RPs inspected | Number of RPs |
Securities Manager | 29 |
Securities Advisor | 11 |
Broker Dealer | 1 |
Securities Arranger | 2 |
Securities Manager/Advisor | 3 |
Securities Manager/Arranger | 1 |
Securities Adviser/Arranger | 1 |
Securities Manager/Advisor/Arranger | 5 |
Total | 53 |
The scope and methodology of Inspections included, but was not limited to, the following:
Be the first to know about releases and industry news and insights.