For a better experience on Cayman Islands Monetary Authority, update your browser.
  1. Home
    2.  
  2. Supervisory Information Circulars 
  3. Key Findings of Registered Persons from On-site Inspections

Key Findings of Registered Persons from On-site Inspections

Supervisory Information Circulars
Date: Tue, 12 July 2022

This circular sets out the findings by the Cayman Islands Monetary Authority (“CIMA” or “the Authority”) from on-site inspections (“inspections”) conducted on Registered Persons (“RPs”) as defined pursuant to schedule 4 and section 5(4) of the Securities Investment Business Act (“SIBA”) for the period 24 October 2020 to 31 December 2021. The scope and methodology for the Inspections are set out at Annex 1.

The Authority has identified key areas of weaknesses across anti-money laundering (“AML”), countering the financing of terrorism (“CFT”), countering proliferation financing (“CPF”) and targeted financial sanctions (“Sanctions”) (together, “AML/CFT”) compliance. The Authority continues to remind all RPs of their regulatory obligations to adhere to legislation, regulations, regulatory rules and/or statements of guidance, and to ensure that their own policies, procedures, systems, and controls are of an appropriate standard.

Notable deficiencies were found relating to: 

  • AML/CFT policies and procedures; 
  • Customer due diligence (“CDD”) and ongoing monitoring programmes; 
  • Employee training and awareness programmes; 
  • Oversight of outsourced AML/CFT compliance functions; 
  •  Implementation of an independent and effective risk-based AML/CFT audit function; 
  • Governance oversight of the AML/CFT compliance function by the Board of Directors (“Board”) or its equivalent; 
  •  Internal reporting policies and procedures; 
  • Assessment of risk and application of a risk-based approach (“RBA”); and 
  •  Record keeping policies and procedures. 

RPs should closely consider the findings in this Circular and ensure that their AML/CFT policies, procedures, systems, and controls are always of the appropriate standard, noting that they may be subject to an Inspection by the Authority. The Authority acknowledges the remediation efforts undertaken by RPs.

More broadly, all Financial Service Providers (FSPs) may use this Circular to enhance their AML/CFT compliance. In particular, FSPs should focus on strengthening their regimes with respect to policies and procedures, ongoing monitoring, employee training and oversight of compliance functions. In doing so, FSPs can reduce the risks of their businesses being abused by criminals.

Executive Summary of the Inspections

This Circular derives from two sets of data, which has been separated as overall findings per RP inspected, and CDD and risk assessment findings, across files reviewed.

Overall Findings Per RP Inspected

A review of the RPs’ policies and procedures and the adequacy and effective implementation of their AML/CFT programmes including outsourced AML/CFT functions revealed the following weaknesses:

  • Policies and procedures:
Identified areas % of RPs inspected with indicated weaknesses
Customer identification, verification and ongoing monitoring 79%
Risk-based approach 62%
Internal reporting 59% 
Sanctions compliance systems and controls 43%
Independent periodic AML/CFT audit to evaluate system controls  38% 
Periodic review of procedural manuals to incorporate changes in the Cayman Islands regulatory framework  34%
Record keeping  25%
Employee screening  11% 
  • CDD and ongoing monitoring documentation: 75% of the RPs inspected indicated weaknesses in their CDD and ongoing monitoring programmes to evidence periodic customer file reviews and transactional monitoring procedures.
  • Employee training and awareness programme: 66% of the RPs inspected indicated weaknesses in their training and awareness programmes to evidence that their employees are aware of their regulatory obligations, including where specific to the Cayman Islands. 
  • Oversight of AML/CFT compliance function: 53% of the RPs inspected indicated weaknesses in the oversight of the compliance function by their Board or its equivalent.
  • Independent AML/CFT Audit Function: 47% of the RPs inspected indicated weaknesses in establishing and implementing an effective independent risk-based audit function to perform periodic AML/CFT audits.
  • Outsourced AML/CFT compliance functions: 45% of the RPs inspected indicated weaknesses in their outsourcing policies, procedures, and risk assessments
  • Internal reporting: 42% of the RPs inspected indicated weaknesses in either designating an independent Money Laundering Reporting Officer (“MLRO”) without vested interests in the underlying business activity or around the framework for reporting suspicious activity.
  • Assessing risks and application of a RBA: 42% of the RPs inspected indicated weaknesses in assessing risk and applying a RBA relative to their identified AML/CFT risks.
  • Record keeping procedures: 28% of the RPs inspected indicated weaknesses in their records management system to evidence that all relevant records are appropriately maintained and readily accessible to the Authority.

 

 

 

 

 

 

 

 

 

 

 

 

Summary of CDD and risk assessment findings across the customer files reviewed

A review of the customer files revealed the following weaknesses, specifically for RPs:

  • Missing or inadequate CDD documentation: 36% across files reviewed indicated weaknesses in the documentation of identification and verification procedures to evidence the identity of the ultimate beneficial owners or controllers and relevant parties. 
  • Customer risk assessments: 21% across files reviewed indicated weaknesses in the documentation of the risk factors considered before determining their overall customer risk category and the appropriate level and type of mitigation to be applied. 
  • Ongoing monitoring: 19% across files reviewed indicated weaknesses in documentation of the ongoing monitoring procedures to evidence that documentation, data, or information collected at onboarding is kept current and relevant to the customer business relationship.
  • Sanctions compliance: 17% across files reviewed indicated weaknesses in documentation of the customer sanctions screening procedures due to lack of proper sanctions screening during on boarding and on an ongoing basis. 
  • Source of wealth and/or funds: 3% across files reviewed indicated weaknesses in maintaining the documentary evidence of the customer’s source of wealth and/or funds or information to verify the origin of the funds or the accumulated wealth.
  • Enhanced due diligence (“EDD”) measures: 3% across files reviewed indicated weaknesses in applying and implementing EDD measures for the high-risk customers.
  • Simplified due diligence (“SDD”) measures: 1% across files reviewed indicated weaknesses in the documentation of the basis for applying SDD measures for the low-risk customers.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Detailed Findings of Inspections

The AMLRs, and AML Guidance Notes require all RPs to put in place AML/CFT policies, procedures, systems, and controls appropriate for the nature, size, and complexity of their businesses.

The Inspections conducted considered each element of the AMLRs and AML Guidance Notes as set out below in the detailed findings of this Circular. 

AML/CFT policies and procedures

Regulation 5(a) of the AMLRs and Part II section 2(b) of the AML Guidance Notes outlines the AML/CFT systems and programmes to be developed and maintained by all RPs. 

.Based on the Inspections conducted, RPs lacked appropriate policies and procedures as follows:

Policies and procedures % of the RPs inspected
In respect to customer identification, verification and ongoing monitoring 79%
For the adoption of a risk-based approach in implementation and monitoring 62% 
Regarding internal reporting  59%
Relating to sanctions compliance systems and controls 43% 
In respect to implementation of a risk-based independent periodic AML/CFT audit to evaluate system controls 38% 
Outdated procedural manuals that were not periodically reviewed to incorporate changes in the Cayman Islands regulatory framework 34%
In respect to record keeping  25%
Regarding the requirement to screen employees at the time of recruitment, periodically thereafter, i.e., at least annually and where a suspicion has arisen as to the conduct of the employee 11% 

RPs are expected under the AMLRs to maintain and periodically review their procedure manuals. The frequency of review may be based on the size, nature, and complexity of the RP; however, it is expected to be done at least annually or where there are significant changes to the AML/CFT systems and obligations.

RPs are further expected under the AMLRs to conduct a gap analysis between their group-wide AML/CFT programmes and the Cayman Islands AML/CFT legislative and regulatory requirements to ensure that they, at a minimum, comply with the applicable Cayman Islands requirements. The gap analysis is key for those entities that are not domiciled in the Cayman Islands, and is expected to be conducted before relying on the group-wide programmes and as and when there are any changes to applicable AML/CFT regulatory obligations or group-wide programmes. Where gaps are identified during the gap analysis, RPs are expected to address those by making amendments to their AML/CFT programmes, as appropriate.

CDD and ongoing monitoring programmes

Regulation 12 of the AMLRs and part II sections 4 and 16 of the AML Guidance Notes outline the customer identification, verification, and ongoing monitoring procedures. 

Based on the Inspection results, 75% of the RPs indicated weaknesses in their CDD and ongoing monitoring programmes. 

Specifically, 36% across files reviewed lacked CDD documentation such as:

  • Identification for ultimate beneficial owners; 
  • Identification for directors or authorised parties or controllers; 
  • Background searches for ultimate beneficial owners and other relevant parties; and 
  • Constitutional documents such as registers of members, registers of directors, certificates of incorporation, and certificates of good standing for legal persons. 

Further, 19% across files reviewed lacked evidence to demonstrate that the RPs were implementing adequate ongoing monitoring procedures. For example, the following gaps were noted:

  • Lack of documentation of the periodic customer file reviews conducted; and 
  • Lack of documentation to evidence the transactional monitoring procedures implemented.

RPs are expected under the AMLRs to obtain all relevant information or data from reliable sources to evidence that they have identified and verified the beneficial owners and other authorised persons or relevant parties who have an effective control over the customer. 

RPs are also expected under the AMLRs to implement adequate ongoing monitoring systems and controls which will enable them to update CDD records as determined by the customer’s assigned level of risk or on occurrence of a triggering event, whichever is earlier. 

Employee training and awareness

Regulation 5(c) and (d) of the AMLRs and part II section 10(E) of the AML Guidance Notes also outline the AML/CFT employee training and awareness guidance and/or requirement. 

Based on the Inspection results, 66% of the RPs indicated weakness in their AML/CFT employee training and awareness programmes. Specifically, gaps noted included the following:

  • Lack of AML/CFT employee training conducted. For example, employees received no AML/CFT training at all, or received very limited training commensurate with their level and seniority; 
  • Lack of adequate records to evidence the training programmes; 
  • Lack of in-depth training for the AML Compliance Officer (“AMLCO”)/ MLRO; and 
  • Lack of training for the directors or equivalent.

Oversight of the compliance function

Regulation 3(1), 5(e) of the AMLRs, and part II section 2(C), (2) and (5) of the AML Guidance outline the requirements to designate a person at the managerial level as the AMLCO who periodically reports directly to the Board or equivalent.

As noted in the executive summary, 53% of the RPs inspected appeared to lack a comprehensive corporate governance framework to effectively monitor the RP’s AML/CFT compliance. For example, the following deficiencies were noted:

  • Lack of appropriate Board oversight of the entity’s controls, policies, or procedures. For example, Board minutes indicating no discussion of AML/CFT compliance matters. 
  • Lack of evidence of the Board approving key AML/CFT policies and procedures; and 
  • Lack of documented corporate governance policies and procedures outlining the structure, and collective duties of the Board or its equivalent with respect to AML/CFT compliance

Under the AMLRs, the RP is ultimately responsible for complying with the applicable AML/CFT obligations. Therefore, the Board or its equivalent is expected to provide effective oversight of the RP to monitor its compliance with the laws and regulations of the Cayman Islands. Such oversight is an important part of setting a culture of compliance from the top-down. 

Independent AML/CFT audit function 

Regulation 5(a)(ix) of the AMLRs and part II Section 10(b) of the AML Guidance outline the requirements for putting in place an appropriate effective risk-based independent audit function to perform periodic AML/CFT audits to evaluate the RP’s AML/CFT systems or controls.

From the Inspections conducted, 47% of the RPs indicated the following gaps in relation to their AML/CFT Audit Function: 

  • Lack of policies and procedures with guidelines for an internal audit function; and 
  • Lack of evidence of AML/CFT/CPF and Sanctions audits being conducted.

Under the AMLRs, RPs are expected to put in place an appropriate effective risk-based independent audit function proportionate to the nature, size, and complexity of their business activities. An AML/CFT Auditor is also expected to be operationally independent of the underlying activities and the related internal control processes. In addition, the AML/CFT periodic audits are expected to assess all RP’s relevant policies, procedures, systems, and controls in line with the regulatory requirements.

Outsourced AML/CFT compliance functions

Regulation 3(2) of the AMLRs and part II sections 2(C), (10) (12) (13) (14) and section 10(C) of the AML Guidance Notes set out the requirements and/or considerations before and/or after placing reliance or outsourcing/delegating the performance of the RP’s compliance function

Based on the Inspection results, 45% of the RPs indicated weaknesses in their delegation/outsourcing frameworks including:

  • Lack of documented outsourcing policies and procedures; 
  • Lack of outsourcing agreements that clearly set out the obligations of all parties involved; 
  • Lack of materiality, service provider due diligence and periodic risk assessments; and 
  • Lack of oversight over the outsourced AML/CFT functions by the Board or its equivalent.

RPs are ultimately responsible for compliance with the applicable requirements under the AMLRs. Therefore, it is essential that the Board or equivalent and/or senior management has in place a comprehensive outsourcing framework and provides adequate oversight for all the outsourced material AML/CFT functions.

Internal reporting procedures

Regulation 34 of the AMLRs and part II section 9 of the AML Guidance Notes also outline the requirements for internal reporting procedures. 

Based on the Inspections, 42% of the RPs indicated weaknesses in their internal reporting procedures including:

  • Deficiencies around reporting and record keeping requirements for maintenance of SAR and Financial Reporting Authority (“FRA”) registers; 
  • Lack of designation of an MLRO/DMLRO that was independent of the daily business operations and therefore had vested interests in the underlying business; and 
  • In ensuring that staff were aware of the process of reporting suspicion or the identity of the person to whom it should be reported. 
  • In designated an MLRO/DMLRO; and 
  • In maintaining logs for enquiries and/or requests from the FRA. 

Under the AMLRs, RPs are required to put in place adequate internal reporting procedures in line with the Cayman Islands regulatory framework including the designation of an independent MLRO/DMLRO. 

Assessing risk and application of a RBA

Regulation 8 of the AMLRs and part II section 3 of the AML Guidance Notes outline to RPs how to assess risk and apply a RBA relative to their identified AML/CFT risks. 

As indicated in the summary of overall findings, 42% of the RPs inspected showed weaknesses in their assessment of risk and application of a RBA. Specifically, the RPs lacked the following:

  • A documented overall business risk assessment taking into consideration all the relevant AML/CFT risks relative to the RP’s structure and business activities; and 
  • A documented RBA methodology explaining the process for the application and implementation of their customer risk assessment in accordance with the customers perceived risk. For example, the incorporation of considerations of all applicable risk factors such as the criteria for assessing transaction or customer risk. 

In addition, 21% of the files reviewed revealed deficiencies including the following:

  • Customer risk assessments were not being performed and/or kept current as part of the RP’s ongoing monitoring programme; 
  • Customer risk assessments did not consider all relevant risk factors for the customer before determining the level of overall risk and the appropriate level and type of mitigation; 
  • Customer risk assessments were not reviewed and/or approved by senior management; and 
  • Customer risk assessment forms were not dated. 

RPs are expected under the AMLRs to document the RBA including implementation and monitoring procedures and updates to the RBA. Accordingly, the documentation of the relevant RBA policies, procedures, review results and responses should enable the RP to demonstrate to the Authority:

  • the system and methodology for risk assessment, including how the RP assesses AML/CFT risks; 
  • the details of the implementation of appropriate systems and procedures, including due diligence requirements, considering its risk assessments; 
  • how it monitors and, as necessary, improves the effectiveness of its systems and procedures; and 
  •  the arrangements for reporting to senior management and the Board on the results of AML/CFT risk assessments and the implementation of its AML/CFT risk management systems and control processes. 

Record keeping 

Regulation 31 of the AMLRs outlines the requirements for record keeping procedures to be maintained by the RPs. Further, Part II section 8(E) of the AML Guidance notes reiterates that RPs shall ensure that those records will be available to the Authority on request.

The Inspections conducted revealed that 28% of the RPs had weaknesses in their records management system. Specifically, the RPs failed to: 

  • Maintain an appropriate records management system to ensure that all their documentation is accessible to the Authority within the stipulated period; 
  • Ensure their AML/CFT Manuals include specific record keeping procedures required to comply with Cayman Islands;

RPs are required under the AMLRs to ensure that all their records are maintained in line with the regulatory requirements and can be made available to the Authority on request, and to the FRA or law enforcement authorities, in accordance with the relevant provisions.

Sanctions compliance

Regulation 5(a)(v) and (viiib) and part II sections 13, 14, 15 of the AML Guidance Notes outline the requirements for sanctions compliance policies, procedures, systems and controls.

For the RPs inspected, 17% across files reviewed indicated weaknesses in gathering and maintaining sanctions screening documentation to evidence compliance with sanctions obligations applicable in the Cayman Islands. Specifically, gaps noted included: 

  • Lack of documentation to evidence the sanctions screening of customers; and 
  • Lack of documented evidence of the review and resolution of the potential sanctions matches

Under the AMLRs, RPs are required to screen their customers and/or relevant parties or transactions to determine whether they are conducting or may conduct business involving any sanctioned person or person associated with a sanctioned person/country. Where there is a true match or suspicion, the law requires that RPs shall take steps that are required to comply with the sanctions obligations including filing of compliance reporting forms to the FRA. Additionally, RPs are required to file a SAR with the FRA, if they discover a relationship that contravenes a sanctions order or a direction under any applicable legislation, and document all the actions that were taken to comply with the sanctions regime, and the rationale for each such action. 

EDD measures

Regulations 17, 27 and 28 of the AMLRs and part II section 6 of the AML Guidance Notes also outline the nature and extent of EDD measures that should be applied where AML/CFT risks are higher. 

For the RPs inspected, 3% across files reviewed had no documented evidence of the nature and extent of EDD measures performed including:

  • Inadequate implementation of policies and procedures regarding EDD measures; and 
  • Lack of searches for adverse media reports in respect to high-risk customers. 

Under the AMLRs, where the risks of AML/CFT are higher, or in cases of unusual or suspicious activity, RPs are required, to have in place EDD measures that are well documented and consistent with the risks identified

SDD measures

Regulations 21 and 22 of the AMLRs and part II section 5 of the AML Guidance Notes outline the criteria for applying SDD measures for low-risk customers.

The Inspection results revealed that 1% across files reviewed lacked documented evidence of adequate SDD policies and justification for the application of SDD measures for low risk customers.

Pursuant to the AMLRs, the Authority expects the RPs to document the basis for application and implementation of SDD measures in line with the Cayman Islands regulatory framework. 

Conclusion and Recommendations

The Inspections indicated that RPs have concerning weaknesses in the implementation of the RPs’ policies and procedures with respect to CDD and ongoing monitoring, employee training and awareness, the oversight of the compliance function, internal reporting, assessing risk and application of a RBA, outsourcing, audit function, and records management. The Authority has issued requirements to the inspected RPs and expects that they will address identified deficiencies in a timely and thorough manner. The Authority is also taking enforcement action where appropriate and proportionate. 

The Authority continues to expect that all RPs will take note of these findings and act to ensure that their own AML/CFT compliance frameworks meet the standards prescribed and periodically assess their AML/CFT compliance programmes to ensure that they are appropriate for the nature, size, and complexity of their business.

The Authority will continue to promote its supervisory mandate through both offsite monitoring and onsite inspection processes. All FSPs are reminded that any breach of a law, regulation or rule or non-compliance with a statement of guidance may result in an enforcement action, which can also include or be in addition to the imposition of an administrative fine for any breach of the AMLRs. 

References

  1. Applicable Securities and AML/CF legislation
  2. Securities Regulatory Rules and/or Statements of Guidance 
  3. Combined Sectoral Risk Ratings
     

Annex 1: Scope and methodology for the Inspections

This Circular is based on the inspection findings of fifty-three (53) RPs whose final reports were issued between 24 October 2020 and 31 December 2021. 

The percentages for the overall findings per RP in the executive summary of this Circular are expressed as out of those fifty-three (53) RPs unless otherwise stated. The table below shows the services offered by these RPs analysed:

Service(s) offered by the RPs inspected Number of RPs
Securities Manager 29
Securities Advisor 11
Broker Dealer 1
Securities Arranger 2
Securities Manager/Advisor 3
Securities Manager/Arranger 1
Securities Adviser/Arranger 1
Securities Manager/Advisor/Arranger 5
Total 53

The scope and methodology of Inspections included, but was not limited to, the following:

  • An assessment of the adequacy of the RP’s corporate governance framework and its operational effectiveness, including whether there is clear accountability for AML/CFT and sanctions risk management and clear and independent escalation and decision making;
  • An assessment of the adequacy and the effective implementation of the RP’s AML/CFT compliance programme including its AML/CFT risk management policies and procedures and the associated internal controls. If any component of the RP’s compliance function is outsourced, an assessment of the implementation of the RP’s outsourcing procedures; and 
  • An assessment of the operational effectiveness of the RP’s AML/CFT controls that involved sample testing across relevant applicable areas. A sample population of 205 customer files was selected across all the selected RPs. File sampling took place by a combination of random selection and selection based on specific characteristics of the customer e.g. risk profile. The Authority assessed each file for compliance with applicable customer identification and verification legislation, rules and standards of the Cayman Islands and the Authority. 
  • The Authority has prepared individual reports for the RPs inspected and will take appropriate and proportionate action where necessary. Individual RPs are not to consider this Circular as a source of confirmation as to whether any issued requirements have been met.

 

Sign up for our E-alerts

Be the first to know about releases and industry news and insights.