AML/CFT & Sanctions Onsite Inspections & Findings Pt 2

Supervisory Information Circulars

Date: Fri, 29 May 2020

On-site inspections are fundamental to the effective execution of the Authority’s post-licensing regulatory and supervisory mandate. Inspections provide the Authority with an opportunity to engage with licensees to discuss best practices and industry developments, to evaluate licensees’ compliance with the regulatory framework and to validate corrective measures implemented to address previously identified deficiencies. The COVID-19 pandemic has presented new challenges to conducting onsite inspections. Nevertheless, the Authority seeks to maintain the same level of focus by using remote, virtual and video technology.

Following the CFATF 4th Round Mutual Evaluation Report “CFATF MER Report” (March 2019) and the resulting recommendations, the Authority bolstered its inspection capacity and realigned its inspection program, with greater emphasis being placed on Money Laundering /Terrorist Financing (“ML/TF”) risks as well as the risks associated with targeted financial sanctions (“TFS”). The Authority has also refined its Risk Based Approach to supervision and streamlined the on-site inspection function and related processes. Inspections have become more risk focused, aligning the scope of inspection work with the inherent risk and control environment of licensees.

Synopsis of On-Site Inspections Conducted

During 2019, the Authority conducted a total of 200 inspections across all sectors (compared with 164 in 2018 and 117 in 2017). Of the total inspections conducted in 2019, 175 inspections were primarily focused on compliance with Anti-Money Laundering/Countering Financing of Terrorism (“AML/CFT”) and Sanctions. Inspections carried out at deposit taking institutions represented 32% of all inspections conducted.

A breakdown of inspections conducted during 2019 by license type is illustrated in the figure below.

Overview of Inspections Findings and Requirements

During 2019, 1,322 requirements were documented in final inspection reports issued by the Authority. The majority (96%) of the inspection requirements were in the following five (5) key compliance risk areas: AML/CFT and Sanctions Compliance (60%), Operational Risk and Management (20%), Corporate Governance (11%), Regulatory Reporting (3%), and Business Continuity Management (2%).

AML/CFT & Sanctions Risk	Operational Mgmt/Risk	Corporate Governance	Regulatory Reporting	Business Continuity Mgmt
793	258	149	40	31

The following three lists provide a non-exhaustive summary of the types of findings from the 2019 inspections which relate to AML/CFT & Sanctions, Corporate Governance and Risk and Operation Management. This information highlights common recurrent areas of non-compliance and/or breaches.

AML/CFT & Sanctions

Policies and Procedures

Outdated or deficient AML/CFT policies and/or controls
Non-compliance with the Licensee’s AML/CFT manual
AML/CFT polices do not sufficiently address the certification of client identification documents
Inappropriate documentation of a risk-based approach (RBA)
Inadequate Politically Exposed Persons (PEP) policies and procedures
Inadequate gap analysis performed by the Licensee to identify and address gaps between the Licensee’s group-wide AML/CFT Policies and Procedures and the applicable regulatory requirements of the Cayman Islands
Non-compliance with regulatory requirements to perform periodic internal AML/CFT audits
AML/CFT polices do not sufficiently address sanction targeted entity (including individuals, corporations, territories, countries, etc.) against a sanction updated lists, which is applicable to the Cayman Islands

Periodic Reviews and On-going Monitoring

Inadequate AML/CFT systems, policies and procedures for on-going client and transaction monitoring
Inadequate performance of client reviews to comply with Licensee’s policies and procedures and/or AMLRs/Guidance Notes
Incomplete or inappropriate documentation of source of wealth and/or source of funds
Inadequate/ incomplete open source searches and methodology for clearing false positives
Inadequate internal review and documentation of declined business and sanctioned parties
Inadequate procedures for conducting due diligence, obtaining sufficient evidence to support the wire transfers and conducting post-event review of the wire transfers

Customer Due Diligence/Know Your Customer Documentation

Incomplete or inappropriate CDD documentation, source of funds, source of wealth and/or
verification requirements
Expired CDD/KYC documents
Illegible photo identification documents

AML/CFT Training

Inadequate AML/CFT training policy or programmes
Inadequate training programme contents, documentation and/or maintenance of training logs

Risk-Based Approach

Licensee’s risk-based approach (RBA) is not being appropriately applied for its size, nature and complexity, considering all relevant risk factors
Incomplete or inappropriate client risk rating tool
Inadequate/incomplete customer and entity risk assessment methodology documenting all factors and parameters

Corporate Governance

Missing or untimely notification to the Authority regarding changes in appointments of Directors/ Officers/ External Auditors (where applicable)
Inadequate oversight of AML/CFT compliance by Board of Directors
No periodic self-assessments being performed by the Board of Directors
No formally documented or incomplete business continuity/ succession plans
Governance body terms of reference not in line with actual practice (e.g. frequency of Board of Directors meetings)
Absence of a conflict of interest policy
Inadequate compliance reporting
No independent directors represented on the Board
No documented remuneration policy
No documented plan or strategy for the performance of internal audits
No appointed compliance committee in place
No documented Board discussion surrounding the entity’s strategic objectives, the means of attaining those objectives and procedures for monitoring and evaluating its progress toward those objectives
No Board charter outlining the Director(s) roles and responsibilities

Risk and Operation Management

Inadequate measures, assessment, reporting, monitoring and control for all sources of risks that could have a material impact on its operations
Lack of evidence regarding any quantitative and qualitative analysis (stress tests) conducted with regards to the risk exposures
No formally documented risk appetite approved by the Board that clearly specifies the risk tolerance levels acceptable to the licensee
Missing or inadequate outsourcing policies and procedures to test the effectiveness in both design and implementation of its outsourcing function
Inadequate documentation of due diligence assessments being performed on service providers and their affiliated parties, in accordance with the SOG Outsourcing
Inadequate outsourcing arrangements, where Licensee is expected to have a detailed, legally binding, written outsourcing agreement or contract in place irrespective of whether such arrangements are with related or unrelated parties.

The above information with regards to the AML/CFT findings and requirements imposed has been further broken down in the below tables to show the number of licensees in each sector that were identified to have deficiencies in various AML/CFT compliance areas. It should be noted that a licensee may have been identified to have deficiencies in more than one compliance area.

2019 OSIs – AML/CFT deficiencies

The following table provides statistical information on the number and type of licensees, and the AML/CFT and Sanctions related deficiencies in various key compliance areas from the 2019 inspections:

Type of Licensee	AML/CFT Programme	CDD/KYC Procedures	Internal Audit	Officer Appointment	On-going Monitoring	Outsourcing	Policies and Procedures	Programmes Against Ml/TF	Record Keeping Procedures	Risk-Based Approach	Training Programme
Deposit-taking Institutions	16	28	12	10	16	2	30	15	4	22	14
Companies Management	1	9	3	3	4	0	6	4	0	7	3
Trust and Corporate Service Provider	1	5	2	2	0	0	3	3	1	4	4
Insurer Licensees	-	10	-	4	2	-	5	9	-	6	3
Mutual Fund Administrators	1	17	2	3	6	0	9	3	2	10	2
Securities	1	9	1	3	5	0	7	5	1	8	4

2019 OSIs – Targeted Financial Sanctions-Related Deficiencies

The table below shows the number of licensees identified to have Sanctions related deficiencies in inspection reports issued for each sector during 2019.

Sanctions Related Deficiencies	Deposit-taking Institutions	Securities	TCSPs	Insurance
Monitoring	6	0	4	2
Policies/Procedures	7	1	4	1
Training	1	0	1	0

Financial Service Providers should take note of the deficiencies outlined above, and where applicable, take remedial steps to ensure that their policies, procedures and practices consider pertinent risks and are compliant with applicable laws and regulations. Where the Authority identifies non-compliance and/or breaches by licensees, it will take prompt and appropriate action.

CIMA Enforcement Actions – 2019

CIMA has a range of enforcement powers including a power to impose administrative fines under the Monetary Authority Law and Anti Money Laundering Regulations. CIMA’s powers to impose sanctions through enforcement actions for breaches of AML/CFT (other than administrative fines) are through the operation of its regulatory laws. These actions can range from the removal of directors, to suspension and revocation/cancellation of a licence or registration, appointment of a Controller and winding up of companies under the regulatory laws and the Companies Law. As outlined in Table 7 below, in 2019, CIMA took 25 enforcement actions, these included 8 revocations/cancellations, 1 Controllership, 1 Winding Up-petition and found 6 directors not fit and proper. In that year, CIMA also issued 5 Administrative Fines Breach Notices and 3 Warning Notices.

Sector	Revocations/ Cancellations	Appointment of Controllers	Winding Up Petitions	Cease and Desist/ Requirements/ Conditions	Actions Under DRLL	Warning/Admin Fines Breach Notices	Total	AML/CFT Enforcement Actions	AML/CFT Breaches Identified	Directors Found Not Fit and Proper
Banking	0	0	0	0	0	5	5	5	75	0
Fiduciary	1	0	0	1	0	0	2	2	20	0
Insurance	2	0	0	0	0	1	3	1	6	2
Investments	5	0	0	0	5	2	12	0	-	4
Securities	0	1	1	1	0	0	3	3	9	0
Total	8	1	1	2	5	8	25	11	110	6

During 2019, the Cayman Islands updated various legislation to strengthen the jurisdiction’s AML/CFT framework, including:

Anti-Money Laundering (Amendment)(No.2) Regulations, 2019
Companies (Amendment) Law, 2019
Limited Liability Companies (Amendment) Law, 2019
Limited Liability Partnership (Amendment) Law 2019
Mutual Funds (Amendment) Law, 2019
Insurance (Amendment) Law, 2019
Building Societies (Amendment) Law, 2019
The Cooperative Societies (Amendment) Law, 2019
The Banks and Trust Companies (Amendment) Law, 2019
Trusts (Amendment) (No. 2) Law 2019
Money Services (Amendment) Law 2019
Trusts (Transparency) Regulations, 2019
Private Trust Companies (Amendment) (No. 2) Regulations, 2019

Looking Ahead

The Authority will continue to promote its supervisory mandate through both offsite monitoring and onsite inspection processes to assess its Licensees adherence to applicable laws, regulations, rules, statements of guidance, internal policies and procedures, as well as best practices

During 2020, the Authority will continue to be vigilant with its onsite inspection program, which will be augmented by the newly established Anti Money Laundering Division as well as the jurisdiction’s enhanced deterrence mechanisms.

We encourage licensees to continue to regularly assess their individual compliance programs to ensure that their framework is commensurate with the risks inherent to their business. Licensees are urged to address identified deficiencies in a timely and thorough manner, as there will be no tolerance for repeat deficiencies.

AML/CFT & Sanctions Onsite Inspections & Findings Pt 2

Sign up for our E-alerts