For a better experience on Cayman Islands Monetary Authority, update your browser.
  1. Home
    2.  
  2. Supervisory Information Circulars 
  3. Registered Persons: Key Findings from On-site Inspections 2020

Registered Persons: Key Findings from On-site Inspections 2020

Supervisory Information Circulars
Date: Mon, 14 December 2020

This Circular sets out the Cayman Islands Monetary Authority’s (the “Authority”) preliminary findings from on-site inspections (“Inspections”) conducted of Registered Persons (“RPs”) as defined pursuant to schedule 4 and section 5(4) of the Securities Investment Business Act (“SIBA”). The Authority has identified key areas of weakness across anti-money laundering (“AML”), countering the financing of terrorism (“CFT”), countering proliferation financing (“CPF”) and targeted financial sanctions (“Sanctions”) (together, “AML/CFT”) compliance. The Authority reminds all RPs of their regulatory obligations to adhere to legislation, regulatory rules and/or statements of guidance, and to ensure that their own policies, procedures, systems, and controls are of the appropriate standard.

Securities broker-dealers, managers, arrangers, advisors, and market makers play a vital part in the global economy. They reinforce the status of the Cayman Islands as an international financial centre. They also help safeguard against flows of illicit finance. In June 2019, following the recommendations by the Caribbean Financial Action Task Force (“CFATF”), the SIBA was amended to bring previously defined Excluded Persons (“EPs”) under the supervisory remit of the Authority. As a result, all EPs were required to re-register with the Authority by 15 January 2020 and are now identified as RPs. RPs are subject to supervision similar to all other financial service providers (“FSPs”) and must provide information pertaining to their ownership, operations and control structure.

The definition of RPs has been specified in schedule 4 of the SIBA. Generally, RPs are engaged in activities such as: (a) securities managers; (b) securities advisors; (c) securities arrangers; (d) broker dealers; and (e) market makers. In March 2020, the Cayman Islands published its sector specific risk assessment of the EPs and the overall AML/CFT risk was rated ‘Medium High’.

In 2020, the Authority commenced its risk-based approach to supervision of RPs to assess their AML/CFT policies, procedures, systems, and controls. The Authority conducted Inspections to determine whether RPs met the requirements of the Anti-Money Laundering Regulations (2020 Revision) (the “AMLRs”), the Guidance Notes on the Prevention and Detection of Money Laundering, Terrorist Financing and Proliferation Financing in the Cayman Islands (2020 Revision) (the “AML Guidance Notes”), as well as other applicable legislations and accepted standards of best practice. 

The scope and methodology for the Inspections is at Annex 1 and a summary of the weaknesses identified from the 2020 Inspections is set out below. Notable deficiencies were found around the: 

  • development and maintenance of AML/CFT policies and procedures; 
  • customer due diligence (“CDD”) and ongoing monitoring programmes; 
  • outsourced AML/CFT compliance functions; 
  • employee training and awareness programmes; 
  • assessment of risk and application of a risk-based approach (“RBA”); 
  • oversight of the compliance function by the Board of Directors (“Board”) or equivalent; 
  • internal reporting policies and procedures; 
  • implementation of an independent and effective risk-based AML/CFT audit function; and 
  • record keeping policies and procedures.

RPs should closely consider the findings within this Circular and ensure that their AML/CFT policies, procedures, systems and controls are of the appropriate standard at all times, noting that they may be subject to an inspection by the Authority.

More broadly, all FSPs may use this Circular to enhance their risk-based approach to AML/CFT compliance. In particular, FSPs should focus on strengthening their documentation of policies and procedures, record keeping and ongoing monitoring regimes. In doing so, FSPs can reduce the risks of their businesses being abused by criminals. 

Executive Summary of the Inspections

This Circular derives from two sets of data, which is separated as overall findings per RPs inspected, and CDD and risk assessment findings, per files reviewed. This is set out in B below. 

Ooverall findings across all RPs 

A review of the RPs’ adequacy and effective implementation of their AML/CFT programmes including policies and outsourced AML/CFT functions revealed the following weaknesses: 

  • AML/CFT policies and procedures: 79% of the RPs inspected indicated weaknesses in the development and maintenance of policies and procedures appropriate for the nature, size, and complexity of their business. 
  • CDD and ongoing monitoring documentation: 50% of the RPs inspected indicated weaknesses in their CDD and ongoing monitoring programmes to evidence that the customer documents, data, or information collected are kept current and relevant. 
  • Outsourced AML/CFT compliance functions: 33% of the RPs inspected indicated weaknesses in their outsourcing policies, procedures, and risk assessments. 
  • Employee training and awareness programme: 33% of the RPs inspected indicated weaknesses in their training and awareness programmes to evidence that their employees are aware of their regulatory obligations
  • Assessing risk and application of a RBA: 25% of the RPs inspected indicated weaknesses in assessing risk and applying a RBA relative to their identified AML/CFT risks. 
  • Oversight of compliance function: 25% of the RPs inspected indicated weaknesses in the oversight of the compliance function by their Board or equivalent. 
  • Internal reporting: 21% of the RPs inspected indicated weaknesses in either designating an independent Money Laundering Reporting Officer (“MLRO”) without vested interests in the underlying business activity or reporting suspicious activity. 
  • Independent AML/CFT Audit Function: 17% of the RPs inspected indicated weaknesses in establishing an effective independent risk-based audit function to perform periodic AML/CFT audits. 
  • Record keeping policies and procedures: 13% of the RPs inspected indicated weaknesses in their records management system to evidence that all relevant records are appropriately maintained and readily accessible to the Authority.

 

 

 

 

 

 

 

 

 

 

B: Summary of CDD and risk assessment findings across the customer files reviewed 

A review of the customer files revealed the following weaknesses, specifically:

  • Missing or inadequate CDD documentation: 30% of files reviewed indicated weaknesses in the documentation of identification and verification procedures to evidence the identity of the ultimate beneficial owners or controllers and relevant parties.
  • Customer risk assessments: 23% of the files reviewed indicated weaknesses in the documentation of the risk factors considered before determining their overall customer risk category and the appropriate level and type of mitigation to be applied.
  • Sanctions compliance: 19% of the files reviewed indicated weaknesses in documentation of the customer sanctions screening procedures due to lack of proper sanctions screening during on-boarding and on an ongoing basis.
  • Source of wealth and/or funds: 9% of the files reviewed indicated weaknesses in maintaining the documentary evidence of the customer’s source of wealth and/or funds or information to verify the origin of the funds or the accumulated wealth. 
  • Ongoing monitoring: 9% of the files reviewed indicated weaknesses in documentation of the ongoing monitoring procedures to evidence that documentation, data, or information collected at onboarding is kept current and relevant to the customer business relationship
  • Simplified due diligence (“SDD”) measures: 5% of the files reviewed indicated weaknesses in the documentation of the basis for applying SDD measures for the low-risk customers.
  • Enhanced due diligence (“EDD”) measures: 5% of the files reviewed indicated weaknesses in applying and implementing EDD measures for the high-risk customers. 

 

 

 

 

 

 

 

 

 

 

 

 

Detailed Findings of the Inspections

The AMLRs, and AML Guidance Notes require all RPs to put in place AML/CFT policies, procedures, systems, and controls appropriate for the nature, size, and complexity of their businesses. 

The Inspections conducted considered each element of AMLRs and AML Guidance Notes as set out below in the detailed findings of this Circular. 

AML/CFT policies and procedures

Regulation 5(a) of the AMLRs and part II section 2(b) of the AML Guidance Notes outline the AML/CFT systems and programmes to be developed and maintained by all RPs.

Based on the Inspections conducted, 79% of the RPs indicated weaknesses in developing and maintaining of their appropriate AML/CFT programmes. Specifically: 

  • 50% of the RPs inspected lacked designed policies and procedures in respect to ongoing monitoring, records retention, sanctions compliance, internal reporting for declined business and suspicious activity, RBA implementation and monitoring, EDD measures, eligible introducers (“EI”), employee screening, audit function and CDD measures for oneoff transactions and individual/legal customers. In addition, some RPs lacked a documented gap analysis between the group-wide programmes and the Cayman Islands regulatory requirements. 
  • 21% of the RPs inspected had AML/CFT procedural manuals with EI, CDD and employee training procedures that were either incomplete or not adequately tailored to nature, size, and complexity of the RP’s business. 
  • 8% of the RPs inspected had outdated procedural manuals that were not periodically reviewed to incorporate the changes in the Cayman Islands regulatory framework.

RPs are expected under the AMLRs to maintain and periodically review their procedural manuals. The frequency of review may be based on the size, nature, and complexity of the RP; however, it is expected to be done at least annually or where there are significant changes to the AML/CFT systems and obligations.

RPs are further expected under the AMLRs to conduct a gap analysis between their group-wide AML/CFT programmes and the Cayman Islands AML/CFT legislative and regulatory requirements to ensure that they, at a minimum, comply with the applicable Cayman Islands requirements. The gap analysis is key for those entities that are not domiciled in the Cayman Islands, and is expected to be conducted before relying on the group-wide programmes and as and when there are any changes to applicable AML/CFT regulatory obligations or group-wide programmes. Where gaps are identified during the gap analysis, RPs are expected to address those by making amendments to their AML/CFT programmes, as appropriate. 

CDD and ongoing monitoring programmes 

Regulations 11 and 12 of the AMLRs and part II sections 4 and 16 of the AML Guidance Notes outline the customer identification, verification, and ongoing monitoring procedures. 

Based on the Inspection results, 50% of the RPs indicated weaknesses in their CDD and ongoing monitoring programmes. 

Specifically, 30% of the files reviewed lacked CDD documentation such as: 

  • Identification for ultimate beneficial owners or controllers; 
  • Identification for directors or authorised parties; 
  • Background searches for ultimate beneficial owners and other relevant parties; 
  • Constitutional documents such as register of members, register of directors, certificate of incorporation, certificate of good standing for legal persons; and 
  • Identification for all the relevant parties involved in one-off wire transfer transactions.  

Further, 9% of the files reviewed lacked documentary evidence regarding the verification of the customer’s source of wealth and/or funds. Such documents may include, but are not limited to: 

  • Copies of audited financial statements; 
  • Bank statements; 
  • Independently verified source of wealth and/or funds declarations; 
  • Confirmation received from independent third-party sources; and 
  • Data gathered from variable public sources. 

Lastly, 9% of the files reviewed lacked evidence to demonstrate that the RPs were performing adequate ongoing monitoring procedures. For example, the following gaps were noted: 

  • Lack of documentation of the periodic customer file reviews conducted; and 
  • Lack of documentation to evidence the transactional monitoring procedures performed. 

RPs are expected under the AMLRs to obtain all relevant information or data from reliable sources to evidence that they have identified and verified the beneficial owners and other authorised persons or relevant parties who have an effective control over the customer. 

RPs are also expected under the AMLRs to implement adequate ongoing monitoring systems and controls which will enable them to update CDD records as determined by the customer’s assigned level of risk or on occurrence of a triggering event, whichever is earlier.

Outsourced AML/CFT compliance functions

Regulation 3(2) of the AMLRs and part II section 2(c) (10) (12) (13) (14) and 10(c) of the AML Guidance Notes set outs the requirements and/or considerations before and/or after placing reliance or outsourcing/delegating the performance of the RP’s compliance function. 

Based on the Inspection results, 33% of the RPs indicated the following weaknesses in their delegation/outsourcing frameworks: 

  • Lack of documented outsourcing policies and procedures; 
  • Lack of outsourcing agreements that clearly set out the obligations of all parties involved; 
  • Lack of materiality, service provider due diligence and periodic risk assessments; and 
  • Lack of oversight over the outsourced AML/CFT functions by the Board or equivalent

RPs are ultimately responsible for compliance with the applicable requirements under the AMLRs. Therefore, it is essential that the Board or equivalent and/or senior management has in place a comprehensive outsourcing framework and provides adequate oversight for all the outsourced material AML/CFT functions.

Employee training and awareness

Regulation 5(c)(d) of the AMLRs and part II section 10(e) of the AML Guidance Notes also outline the AML/CFT employee training and awareness guidance and/or requirements.

Based on the Inspection results, 33% of the RPs indicated weakness in their AML/CFT employee training and awareness programmes. Specifically, the following gaps were noted: 

  • Lack of AML/CFT employee training conducted. For example, some employees received no AML/CFT training at all, or received very limited training commensurate with their level and seniority; 
  • Lack of in-depth training for the anti-money laundering compliance officer (“AMLCO”)/MLRO; and 
  • Lack of training for directors or equivalent.

Assessing risk and application of a RBA

Regulation 8 of the AMLRs and part II section 3 of the AML Guidance Notes outline to RPs how to assess risk and apply a RBA relative to their identified AML/CFT risks.

As indicated in the executive summary above, 25% of the RPs inspected showed weaknesses in their assessment of risk and application of a RBA. Specifically, the RPs lacked the following:

  • A documented overall business risk assessment taking into consideration all the relevant AML/CFT risks relative to the RP’s structure and business activities; 
  • A documented RBA methodology explaining the process for the application and implementation of their customer risk assessment in accordance with the customers perceived risk. For example, some RPs classified clients as “medium risk’ without being able to demonstrate why and how they are arrived at that conclusion; and 
  • A consistent application of customer risk assessment in accordance with the RP’s own risk assessment methodology. For example, the RP’s risk scoring sometimes did not seem to align with the RP’s methodology. Clients from jurisdictions assessed as “high risk” under the RP’s own methodology were sometimes labelled “medium risk”, without any documented explanation.

In addition, 23% of the files reviewed revealed the following deficiencies:

  • Customer risk assessments were not being performed and/or kept current as part of the RP’s ongoing monitoring programme; 
  • Customer risk assessment did not consider all relevant risk factors for the customer before determining the level of overall risk and the appropriate level and type of mitigation; and 
  • Customer risk assessments were not reviewed and/or approved by senior management.

RPs are expected under the AMLRs to document the RBA including implementation and monitoring procedures and updates to the RBA. Accordingly, the documentation of the relevant   Page 8 of 12 SIX Cricket Square P.O. Box 10052 Grand Cayman KY1–1001, Cayman Islands Tel: 345-949-7089 www.cima.ky RBA policies, procedures, review results and responses should enable the RP to demonstrate to the Authority: 

  • the system and methodology for risk assessment, including how the RP assesses AML/CFT risks; 
  • the details of the implementation of appropriate systems and procedures, including due diligence requirements, considering relevant risk assessments; 
  • how it monitors and, as necessary, improves the effectiveness of its systems and procedures; and 
  • the arrangements for reporting to senior management and the Board on the results of AML/CFT risk assessments and the implementation of its AML/CFT risk management systems and control processes. 

Oversight of the compliance function

Regulation 3(1) of the AMLRs and part II section 2(c)(2) and (5) of the AML Guidance outline the requirements to designate a person at the managerial level as the AMLCO who periodically reports directly to the Board or equivalent.

As noted in the executive summary, 25% of the RPs inspected appeared to lack a comprehensive corporate governance framework to effectively monitor the RP’s AML/CFT compliance. For example, the following deficiencies were noted: 

  • Lack of documented evidence that the Board or equivalent was making relevant AML/CFT compliance related enquiries into the affairs of the RP and, where necessary, requesting information from service providers or AMLCOs, or their presence at Board meetings; 
  • Lack of periodic compliance reports by the AMLCO to the Board or equivalent; 
  • Lack of documented Board approval of the RP’s AML/CFT procedural manuals; 
  • Lack of a Board Charter or equivalent governance structure that covered the roles and responsibilities of the Board regarding the RP’s AML/CFT compliance; 
  • Lack of periodic self-assessment of Board’s performance and governance practices with respect to the overall effectiveness of the RP’s AML/CFT Compliance regime; and 
  • Lack of a designated or appointed independent AMLCO by the Board. 

Irrespective of whether the AMLCO is an employee or the RP has delegated or relied on another person to oversee the compliance function, under the AMLRs, the RP is ultimately responsible for complying with the applicable AML/CFT obligations. Therefore, the Board or equivalent is expected to provide effective oversight of the RP to monitor its compliance with the legislations of the Cayman Islands. 

Sanctions compliance

Regulation 5(a)(v)(viiia)(viiib) of the AMLRs and part II section 13,14,15 of the AML Guidance Notes outline the requirements for sanctions compliance policies, procedures, systems and controls.

For the inspections conducted, 19% of the files reviewed indicated weaknesses in gathering and maintaining sanctions screening documentation to evidence compliance with sanctions obligations applicable in the Cayman Islands. Specifically, the following gaps were noted:

  • Lack of documentation to evidence the sanctions screening of customers; and 
  • Lack of documented evidence of the review and resolution of the potential sanctions matches. 

Under the AMLRs, RPs are required to screen their customers and/or relevant parties or transactions to determine whether they are conducting or may conduct business involving any sanctioned person or person associated with a sanctioned person/country. Where there is a true match or suspicion, the law requires that RPs shall take steps that are required to comply with the sanctions obligations including filing of compliance reporting forms to the Financial Reporting Authority (“FRA”). Additionally, RPs are required to file a SAR with the FRA, if they discover a relationship that contravenes a sanctions order or a direction under any applicable legislations, and document all the actions that were taken to comply with the sanctions regime, and the rationale for each such action.

Internal reporting procedures

Regulation 34 of the AMLRs and part II section 9 of the AML Guidance Notes also outline the requirements for internal reporting procedures.

Based on the Inspections, 21% of the RPs indicated weaknesses in their internal reporting policies and procedures. Specifically:

  • For 17% of the RPs inspected, the designated MLRO/DMLRO was not independent of the daily business operations and therefore had vested interests in the underlying business activity; and 
  • For 4% of the RPs inspected, there was inadequate investigation and/or documentation of suspected suspicious activity by the RP’s MLRO/DMLRO in line with the Cayman Islands regulatory requirements.

Under the AMLRs, RPs are required to put in place adequate internal reporting procedures in line with the Cayman Islands regulatory framework including the designation of an independent MLRO/DMLRO. 

Independent AML/CFT Audit Function 

Regulation 5(a)(ix) of the AMLRs and part II Section 10(b) of the AML Guidance outline the requirements for putting in place an appropriate effective risk-based independent audit function to perform periodic AML/CFT audits in order to evaluate the RP’s AML/CFT systems or controls.

From the Inspections conducted, 17% of the RPs indicated the following gaps in relation to their AML/CFT Audit Function: 

  • Lack of evidence that the AML/CFT audits performed assessed all the RP’s relevant AML/CFT policies, procedures, systems, and controls; and
  • Lack of an effective independent risk-based audit function to perform periodic AML/CFT audits. In some instances, outsourced providers were performing overlapping services including providing AML/CFT training, acting as MLRO and performing audit, posing a clear conflict of interest and causing the RP to lack the risk-based independent audit function required under the AMLRs. 

Under the AMLRs, RPs are required to demonstrate that the AML/CFT Auditor is operationally independent of the underlying activities and the related internal control processes. In addition, the AML/CFT periodic audit must assess all RP’s relevant policies, procedures, systems, and controls in line with the regulatory requirements.

Record keeping

Regulation 31 of the AMLRs outlines the requirements for record keeping procedures to be maintained by the RPs. Further, part II section 8(e) of the AML Guidance notes reiterates that RPs shall ensure that those records will be available to the Authority on request. 

The Inspections conducted revealed that 13% of the RPs had weaknesses in their records management system. Specifically, the RPs failed to: 

  • Maintain an appropriate records management system to ensure that all their documentation is assessable to the Authority within the stipulated period; and 
  • Maintain records in English language, or be professionally translated into written English without delay, at the request of the Authority. For example, some customer files contained documentation purporting to evidence the identity of clients in languages other than English, without translation. 

RPs are required under the AMLRs to ensure that all their records are maintained in line with the regulatory requirements, and can be made available to the Authority on request, and to the FRA or law enforcement authorities, in accordance with the relevant provisions. 

EDD measures

Regulations 27 and 28 of the AMLRs and part II section 6 of the AML Guidance Notes also outline the nature and extent of EDD measures that should be applied where AML/CFT risk are higher.

The Inspection results revealed that 5% of the customer files reviewed had no documented evidence of the nature and extent of EDD measures performed to obtain: 

  • Approval of senior management prior to commencement of customer business; 
  • Additional information on the intended nature of the business relationship; and 
  • Additional information on the source of funds or source of wealth of the applicant/customer.

Under the AMLRs, where the AML/CFT risks are higher, or in cases of unusual or suspicious activity, RPs are required to have in place EDD measures that are well documented and consistent with the risks identified.

SDD measures

Regulations 21 and 22 of the AMLRs and part II Section 5 of the AML Guidance Notes outline the criteria for applying SDD measures for low risk customers.

The Inspections revealed that 5% of the files reviewed lacked documented evidence of the facts and circumstances considered by RPs before applying SDD measures and/or granting CDD exemptions for their low-risk customers.

Pursuant to the AMLRs, the Authority expects the RPs to document the basis for application and implementation of SDD measures in line with the Cayman Islands regulatory framework.

Conclusion and Recommendations

The Inspections indicated that RPs have concerning weaknesses in the implementation of the RP’s policies and procedures with respect to the oversight of the compliance function, outsourcing, assessing risk and application of a RBA, CDD and ongoing monitoring, employee training and awareness, records management, audit function and internal reporting. The Authority has issued requirements to the inspected RPs and expects that they will address identified deficiencies in a timely and through manner. The Authority is also taking enforcement action where appropriate and proportionate.

The Authority further expects that all RPs will take note of these findings and act to ensure that their own AML/CFT compliance frameworks meet the standards prescribed by the AMLRs and the AML Guidance Notes, and all other applicable legislations. RPs should also periodically assess their AML/CFT compliance programmes to ensure that they are appropriate for the nature, size, and complexity of their business.

The Authority will continue to promote its supervisory mandate through both offsite monitoring and onsite inspection processes to assess the RPs adherence to applicable legislations, rules, statements of guidance, internal policies, and procedures, as well as best practices. All FSPs are reminded that any breach of a law, regulation or rule or non-compliance with a statement of guidance may result in an enforcement action, which can also include or be in addition to the imposition of an administrative fine for any breach of the AMLRs.

Annex 1: Scope and methodology for the Inspections

This Circular is based on the inspection findings of twenty-four (24) RPs undertaken in 2020 up until the end of the observation period prescribed by the Financial Action Task Force (23 October 2020). 

The percentages for the overall findings per RP in the executive summary of this Circular are expressed as out of twenty-four (24) RPs whose final reports have been issued to date, unless otherwise stated. The table below shows the services offered by these RPs analysed: 

Service(s) offered by RPs inspected Number of RPs
Broker Dealer 1
Securities Advisor 3
Securities Manager 9
Securities Arranger/Manager 2
Securities Manager/Advisor 5
Securities Manager/Advisor/Arranger 3
Broker Dealer/Securities Manager 1
Total 24

 

The scope and methodology of Inspections included, but was not be limited to, the following: 

  • An assessment of the adequacy of the RP’s corporate governance framework and its operational effectiveness, including whether there is clear accountability for AML/CFT risk management and clear and independent escalation and decision making; 
  • An assessment of the adequacy and the effective implementation of the RP’s AML/CFT compliance programme including its AML/CFT risk management policies and procedures and the associated internal controls. If any component of the RP’s compliance function is outsourced, an assessment of the implementation of the RP’s outsourcing procedures; and 
  • An assessment of the operational effectiveness of the RP’s AML/CFT controls that involved sample testing across relevant applicable areas. A random sample population of 214 customer files was selected across all the selected RPs. The Authority assessed each file for compliance with applicable customer identification and verification legislations, rules and standards of the Cayman Islands and the Authority.

The Authority has prepared individual reports for the RPs inspected and will take appropriate and proportionate action where necessary. 

References

RPs are encouraged to review the links below which provide further guidance on the subject matter: 

  1.  Applicable Securities and AML/CFT Legislations 
  2. Securities Regulatory Rules and/or Statements of Guidance 
  3. Combined Sectoral Risk ratings
Sign up for our E-alerts

Be the first to know about releases and industry news and insights.