For a better experience on Cayman Islands Monetary Authority, update your browser.

Key Findings from Onsite Inspections of Registered Persons

Supervisory Information Circulars
Date: Thu, 08 May 2025
Introduction

Registered Persons (“RPs”) are defined under Schedule 4 and Section 5(4) of the Securities Investment Business Act (“SIBA”). RPs carry out securities investment business in or from the Cayman Islands, including dealing in securities, arranging deals, investment management, and providing investment advice. The SIBA provides for the regulation of the RPs engaged in these activities in or from the Cayman Islands, including market makers, broker-dealers, securities arrangers, securities advisors, and securities managers.

In 2020, the Cayman Islands Monetary Authority (“CIMA” or the “Authority”) commenced its risk-based approach to supervision of RPs to assess their anti-money laundering (“AML”), countering the financing of terrorism (“CFT”), countering proliferation financing (“CPF”) and targeted financial sanctions (“Sanctions”) (collectively, “AML/CFT”) policies, procedures, systems, and controls. The Authority conducted on-site inspections (“Inspections”) to determine whether RPs met the requirements of the Anti-Money Laundering Regulations (the “AMLRs”), the Guidance Notes on the Prevention and Detection of Money Laundering, Terrorist Financing and Proliferation Financing in the Cayman Islands (the “AML Guidance Notes”), as well as other applicable legislations, rules, and accepted standards of best practice. 

In 2020 and 2022, the Authority published its first supervisory circular and second supervisory circular setting out the findings from Inspections conducted for the RPs in 2020 and 2021, and the controls required to be undertaken by the RPs to address the identified deficiencies.

From 2022 to date, the Authority has continued its risk-based approach to AML/CFT supervision of the RPs to assess their compliance with their AML/CFT obligations and compliance with the applicable laws and regulations. This Circular (the “Circular”) sets out the findings by the Authority from Inspections conducted on RPs for the period 1 January 2022 to 31 March 2024. The scope and methodology for the Inspections are set out in Appendix 1 below.

The Authority continues to remind all RPs of their regulatory obligations to adhere to legislation, regulations, regulatory rules and/or statements of guidance, and to ensure that their policies, procedures, systems, and controls are of an appropriate standard.

RPs should closely consider the findings in this Circular and ensure that their AML/CFT policies, procedures, systems, and controls are always of the appropriate standard, noting that they may be subject to an Inspection by the Authority.

More broadly, all Financial Service Providers (FSPs) may use this Circular to enhance their AML/CFT compliance. In particular, FSPs should focus on strengthening their regimes concerning policies and procedures, ongoing monitoring, employee training and oversight of compliance functions. In doing so, FSPs can reduce the risks of their businesses being abused by criminals.

 

Executive Summary of Inspections

This Circular derives from two sets of data, which have been separated as overall findings per RP inspected, and CDD and risk assessment findings, across files reviewed.

 

Overall Findings per RP Inspected

The Authority has observed an improvement in compliance by RPs since January 2022 and acknowledges the progress that RPs have made in implementing their AML/CFT policies, procedures, systems, and controls. Notably:

  1. Employee training and awareness programme: evidencing that their employees are aware of their regulatory obligations appropriate to their roles, including where specific to the Cayman Islands. 
  2. Oversight of AML/CFT compliance function: demonstrating oversight of the compliance function by their Board of Directors (“Board”) or its equivalent.
  3. Outsourced AML/CFT compliance functions: regarding their outsourcing policies, procedures, and risk assessments.
  4. Assessing risks and application of a Risk-Based Approach (“RBA”): assessing risk and applying an RBA relative to their identified AML/CFT risks.
  5. Internal reporting: maintaining logs regarding the reporting of suspicion and declined business.
  6. Record keeping: evidencing that all relevant records are appropriately maintained and readily accessible to the Authority

The chart below illustrates improvements in the implementation of AML/CFT policies, procedures, systems, and controls from October 2020 to March 2024:

 

 

 

 

 

 

 

 

 

 

 

Notwithstanding the encouraging results above, there were some instances where improvements were not seen:

  1. Customer Due Diligence (“CDD”) and ongoing monitoring documentation: For the period January 2022 to March 2024, 81% of the RPs inspected indicated weaknesses in their CDD and ongoing monitoring programmes. This compares to 75% for the period October 2020 to December 2021.
  2. Independent AML/CFT Audit Function: For the period January 2022 to March 2024, 63% of the RPs inspected indicated weaknesses in establishing and implementing an effective independent risk-based audit function. This compares to 47% for the period October 2020 to December 2021.

A review of the RPs’ policies and procedures and the adequacy and effective implementation of their AML/CFT programmes including outsourced AML/CFT functions revealed the following weaknesses:

Policies and procedures

Identified areas % of RPs inspected with indicated weaknesses
Risk-based approach  58%
Customer identification, verification, and ongoing monitoring 41%
Sanctions compliance systems and controls  36%
Internal reporting 26%
Employee screening  13%
Counterproliferation financing  12%
Record keeping  10%
Independent periodic AML/CFT audit to evaluate system controls  9%
Periodic review of procedural manuals to incorporate changes in the Cayman Islands regulatory framework  6%
Groupwide programmes 5%

 

Summary of CDD and risk assessment findings across the customer files reviewed

A review across all the customer files revealed the following weaknesses:

  1. Sanctions compliance: 28% of findings indicated weaknesses in the documentation of customer sanctions screening during onboarding and an ongoing basis, and of resolution of potential matches.
  2. Customer risk assessments: 24% of findings indicated weaknesses in the documentation of customer risk assessments and the risk factors considered before determining their overall customer risk category and the appropriate level and type of mitigation to be applied. 
  3. Missing or inadequate CDD documentation: 19% of findings indicated weaknesses in the documentation of identification and verification to evidence the identity of the ultimate beneficial owners or controllers and relevant parties.
  4. Ongoing monitoring: 18% of findings indicated weaknesses in documentation of ongoing monitoring to evidence periodic customer file reviews and transaction monitoring.
  5. Simplified due diligence (“SDD”) measures: 6% of findings indicated weaknesses in the documentation of the basis for applying SDD measures for low-risk customers.
  6. Enhanced due diligence (“EDD”) measures: 3% of findings indicated weaknesses in implementing EDD measures for high-risk customers.
  7. Source of wealth and/or funds: 1% of findings indicated weaknesses in maintaining the documentary evidence of the customer’s source of wealth and/or funds or information to verify the origin of the funds or the accumulated wealth.

 

Detailed Findings of Inspections

The AMLRs and AML Guidance Notes require all RPs to put in place AML/CFT policies, procedures, systems, and controls appropriate for the nature, size, and complexity of their businesses.

The Inspections conducted considered each element of the AMLRs and AML Guidance Notes as set out below in the detailed findings of this Circular. 

AML/CFT policies and procedures

Regulation 5(a) of the AMLRs and Part II Section 2(b) of the AML Guidance Notes outlines the AML/CFT systems and programmes to be developed and maintained by all RPs. 

Based on the Inspections conducted, RPs lacked appropriate policies and procedures as outlined in the Executive Summary.

RPs are expected under the AMLRs to maintain appropriate procedures proportionate to the size of their business. RPs are also expected to periodically review their procedure manuals to incorporate changes in the Cayman Islands regulatory framework. The frequency of review may be based on the size, nature, and complexity of the RP; however, it is expected to be done at least annually or where there are significant changes to the AML/CFT systems and obligations.

RPs that are part of a group are expected to implement group-wide AML/CFT programmes under the AMLRs. Additionally, RPs are expected to conduct a gap analysis between their group-wide AML/CFT programmes and the Cayman Islands AML/CFT legislative and regulatory requirements to ensure that they, at a minimum, comply with the applicable Cayman Islands requirements. Where gaps are identified during the gap analysis, RPs are expected to address those by making amendments to their AML/CFT programmes, as appropriate.

 

CDD and ongoing monitoring programmes

Regulation 12 of the AMLRs and Part II Sections 4 and 16 of the AML Guidance Notes outline the customer identification, verification, and ongoing monitoring procedures. Based on the Inspection results, 81% of the RPs indicated weaknesses in their CDD and ongoing monitoring programmes. 

Specifically, 19% of findings across files reviewed lacked or had insufficient CDD documentation such as:

  1. Identification of ultimate beneficial owners; 
  2. Identification for directors or authorised parties or controllers; 
  3. Verification of identification documents; and 
  4. Constitutional documents such as registers of members, registers of directors, certificates of incorporation, and certificates of good standing for legal persons. 

Further, 18% of findings across the files reviewed related to a lack of evidence to demonstrate that the RPs were implementing adequate ongoing monitoring procedures. For example, the following gaps were noted:

  1. Lack of documentation of the periodic customer file reviews conducted; and 
  2. Lack of documentation to evidence the transactional monitoring procedures implemented.

RPs are expected under the AMLRs to obtain all relevant information or data from reliable, independent source documents, data, or information to evidence that they have identified and verified the beneficial owners and other authorised persons who have effective control over the customer. 

RPs are also expected under the AMLRs to implement adequate ongoing monitoring systems and controls which will enable them to ensure that documents, data or information collected under the CDD process are kept current and relevant to CDD, by reviewing existing records at appropriate times.

 

Independent AML/CFT audit function 

Regulation 5(a)(ix) of the AMLRs and Part II Section 10(b) of the AML Guidance outline the requirements for putting in place an appropriate effective risk-based independent audit function to perform periodic AML/CFT audits to evaluate the RP’s AML/CFT systems or controls.

From the Inspections conducted, 63% of the RPs indicated the following gaps in their AML/CFT Audit Function such as: 

  1. Lack of policies and procedures with guidelines for an internal audit function;
  2. Lack of evidence of AML/CFT/CPF and Sanctions audits being conducted;
  3. Audits that lacked testing of the overall effectiveness of the RP’s AML/CFT controls; and
  4. Lack of evidence that audits were independent.

Under the AMLRs, RPs are expected to put in place an appropriate effective risk-based independent audit function proportionate to the nature, size, and complexity of their business activities. An AML/CFT Auditor is also expected to be operationally independent of the underlying activities and the related internal control processes. In addition, the AML/CFT periodic audits are expected to assess all RP’s relevant policies, procedures, systems, and controls in line with the regulatory requirements.

 

Employee training and awareness

Regulation 5(c) and (d) of the AMLRs and part II section 10(E) of the AML Guidance Notes also outline the AML/CFT employee training and awareness guidance and/or requirement. 

Based on the Inspection results, 37% of the RPs indicated weakness in their AML/CFT employee and directors training and awareness programmes. Specifically, the gaps noted included the following:

  1. Lack of AML/CFT training conducted for new employees; 
  2. Lack of in-depth training for the AML Compliance Officer (“AMLCO”)/ Money Laundering Reporting Officer (“MLRO”);
  3. Lack of higher-level training for the directors or equivalent; and
  4. Lack of training specific to the Cayman Islands.

Under the AMLRs, RPs are expected to train their employees and also take appropriate measures from time to time to make employees aware of their AML/CFT procedures and the enactments relating to money laundering, terrorist financing, proliferation financing and targeted financial sanctions.

 

Oversight of the compliance function

Regulation 3(1), 5(e) of the AMLRs, and part II section 2(C), (2) and (5) of the AML Guidance Notes outline the requirements to designate a person at the managerial level as the AMLCO who periodically reports directly to the Board or equivalent.

  1. As noted in the Executive Summary, 33% of the RPs inspected appeared to lack a comprehensive corporate governance framework to effectively monitor the RP’s AML/CFT compliance. For example, the following deficiencies were noted:
  2. Lack of appropriate Board oversight of the entity’s controls, policies, or procedures. For example, Board minutes indicate no discussion of AML/CFT compliance matters including a lack of periodic reporting by the AMLCO to the Board. 
  3. Lack of evidence of the Board approving key AML/CFT policies and procedures; and 
  4. Lack of documented corporate governance policies and procedures outlining the structure and collective duties of the Board or its equivalent with respect to AML/CFT compliance.

Under the AMLRs, the RP is ultimately responsible for complying with the applicable AML/CFT obligations. Therefore, the Board or its equivalent is expected to provide effective oversight of the RP to monitor its compliance with the laws and regulations of the Cayman Islands. Such oversight is an important part of setting a culture of compliance from the top down. 

 

Outsourced AML/CFT compliance functions

Regulation 3(2) of the AMLRs and part II sections 2(C), (10) (12) (13) (14) and section 10(C) of the AML Guidance Notes set out the requirements and/or considerations before and/or after placing reliance or outsourcing/delegating the performance of the RP’s compliance function.

Based on the Inspection results, 30% of the RPs indicated weaknesses in their delegation/outsourcing frameworks including:

  1. Lack of documented outsourcing policies and procedures; 
  2. Lack of outsourcing agreements that clearly set out the obligations of all parties involved; 
  3. Lack of detail in outsourcing agreements such as formal contingency plans; and
  4. Lack of materiality, service provider due diligence and periodic risk assessments.

RPs are ultimately responsible for compliance with the applicable requirements under the AMLRs. Therefore, it is essential that the Board or equivalent and/or senior management has in place a comprehensive outsourcing framework and provides adequate oversight for all the outsourced material AML/CFT functions.

 

Assessing risk and application of a RBA

Regulation 8 of the AMLRs and part II section 3 of the AML Guidance Notes outline to RPs how to assess risk and apply a RBA relative to their identified AML/CFT risks. As indicated in the summary of overall findings, 29% of the RPs inspected showed weaknesses in their assessment of risk and application of a RBA. Specifically, the RPs lacked the following:

  1. A documented overall business risk assessment taking into consideration all the relevant AML/CFT risks relative to the RP’s structure and business activities, including the requirement to risk assess the development of new products and business practices;
  2. The establishment of the entity’s risk appetite and/or risk tolerance enabling the evaluation of residual risk; and 
  3. A documented RBA methodology explaining the process for the application and implementation of their customer risk assessment per the customer's perceived risk. For example, the incorporation of considerations of all applicable risk factors such as the criteria for assessing transaction or customer risk. 

In addition, 24% of findings across files reviewed revealed deficiencies including the following:

  1. Customer risk assessments were not being performed; 
  2. Customer risk assessments did not consider or appropriately apply all relevant risk factors for the customer before determining the level of overall risk and the appropriate level and type of mitigation; 
  3. Customer risk assessments were not reviewed and kept up to date as part of the RP’s ongoing monitoring programme; and 
  4. Customer risk assessment forms were not dated. 

RPs are expected under the AMLRs to document the RBA including implementation and monitoring procedures and updates to the RBA. Accordingly, the documentation of the relevant RBA policies, procedures, review results and responses should enable the RP to demonstrate to the Authority:

  • the system and procedures for risk assessment, including how the RP assesses AML/CFT risks; 
  • the details of the implementation of appropriate systems and procedures, including due diligence requirements, considering its risk assessments; 
  • how it monitors and, as necessary, improves the effectiveness of its systems and procedures; and 
  • the arrangements for reporting to senior management and the Board on the results of AML/CFT risk assessments and the implementation of its AML/CFT risk management systems and control processes. 

 

Internal reporting procedures

Regulation 34 of the AMLRs and part II section 9 of the AML Guidance Notes also outline the requirements for internal reporting procedures. 

Based on the Inspections, 10% of the RPs indicated weaknesses in their internal reporting procedures including:

  1. Deficiencies around reporting and record-keeping requirements for maintenance of suspicious activity reports (“SARs”) and Financial Reporting Authority (“FRA”) registers and logs of declined business; 
  2. Procedures lacking requirements such as substantiating and documenting reasons for suspicion and timeframes for filing a SAR; and 
  3. In maintaining logs for enquiries and/or requests from the FRA. 

Under the AMLRs, RPs are required to put in place adequate internal reporting procedures in line with the Cayman Islands regulatory framework including the designation of an independent MLRO/DMLRO. 

 

Record keeping 

Regulation 31 of the AMLRs outlines the requirements for record-keeping procedures to be maintained by the RPs. Further, Part II section 8(E) of the AML Guidance notes reiterates that RPs shall ensure that those records will be available to the Authority on request.

The Inspections conducted revealed that 10% of the RPs had weaknesses in their records management system. Specifically, the RPs failed to maintain an appropriate records management system to ensure that all their documentation is accessible to the Authority within the stipulated period. 

RPs are required under the AMLRs to ensure that all their records are maintained in line with the regulatory requirements and can be made available to the Authority on request, and to the FRA or law enforcement authorities, in accordance with the relevant provisions.

 

Sanctions compliance

Regulation 5(a)(v) and (viiib) and part II sections 13, 14, and 15 of the AML Guidance Notes outline the requirements for sanctions compliance policies, procedures, systems and controls.

For the RPs inspected, 28% of findings across files reviewed indicated weaknesses in gathering and maintaining sanctions screening documentation to evidence compliance with sanctions obligations applicable in the Cayman Islands. Specifically, gaps noted included: 

  1. Lack of documentation to evidence the sanctions screening of customers, including on an ongoing basis; and 
  2. Lack of documented evidence of the review and resolution of the potential sanctions matches.

Under the AMLRs, RPs are required to screen their customers and/or relevant parties or transactions to determine whether they are conducting or may conduct business involving any sanctioned person or person associated with a sanctioned person/country. Where there is a true match or suspicion, the law requires that RPs shall take steps that are required to comply with the sanctions obligations including filing of compliance reporting forms to the FRA. Additionally, RPs are required to file a SAR with the FRA, if they discover a relationship that contravenes a sanctions order or a direction under any applicable legislation, and document all the actions that were taken to comply with the targeted financial sanctions regime, and the rationale for each such action. 


SDD measures

Regulations 21 and 22 of the AMLRs and part II section 5 of the AML Guidance Notes outline the criteria for applying SDD measures for low-risk customers.

The Inspection results revealed that 6% of findings across files reviewed revealed a lack of documented evidence for the rationale determining the applicability of SSD for low-risk customers. This compares to the 1% in the previous period. The criteria for applying SDD measures must be understood and appropriately applied.

Pursuant to the AMLRs, the Authority expects the RPs to document the basis for the application and implementation of SDD measures in line with the Cayman Islands regulatory framework. 

 

Conclusion and Recommendations

The Authority has noted an improvement in compliance by RPs since the prior period’s results. However, there is still room for improvement in the effectiveness of the policies and procedures, particularly around CDD, ongoing monitoring and maintenance of an appropriate effective independent audit function.

The Authority has issued requirements to the inspected RPs and expects that they will address identified deficiencies in a timely and thorough manner. The Authority is also taking enforcement action where appropriate and proportionate. 

The Authority continues to expect that all RPs will take note of these findings and act to ensure that their own AML/CFT compliance frameworks meet the standards prescribed and periodically assess their AML/CFT compliance programmes to ensure that they are appropriate for the nature, size, and complexity of their business.

The Authority will continue to promote its supervisory mandate through both offsite monitoring and onsite inspection processes. All FSPs are reminded that any breach of a law, regulation or rule or non-compliance with a statement of guidance may result in an enforcement action. This may also include, or be in addition to, the imposition of an administrative fine for any breach of the AMLRs. 

 

References
  1. Applicable Securities and AML/CF legislation
  2. Securities Regulatory Rules and/or Statements of Guidance 
  3. National Risk Assessment
  4. AML/CFT Remediation

 

Appendix 1: Scope and Methodolody for Inspections

This Circular is based on the inspection findings of one hundred and thirteen (113) RPs whose final reports were issued between 1 January 2022 and 31 March 2024. 

The percentages for the overall findings in the executive summary of this Circular are expressed as out of those one hundred and thirteen (113) RPs unless otherwise stated. The table below shows the services offered by these RPs analysed:

 

Service(s) offered by the RPs inspected Number of RPs
Securities Manager 50
Securities Advisor 33
Broker Dealer 7
Securities Arranger 9
Securities Manager / Advisor 7
Securities Manager / Advisor / Arranger 3
Securities Adviser / Arranger 2
Broker Dealer / Arranger 1
Broker Dealer / Manager / Arranger 1
Total 113

 

The scope and methodology of Inspections included, but was not limited to, the following:

  1. An assessment of the adequacy of the RP’s corporate governance framework and its operational effectiveness, including whether there is clear accountability for AML/CFT risk management and clear and independent escalation and decision-making;
  2. An assessment of the adequacy and the effective implementation of the RP’s AML/CFT compliance programme including its AML/CFT risk management policies and procedures and the associated internal controls. If any component of the RP’s compliance function is outsourced, an assessment of the implementation of the RP’s outsourcing procedures; and 
  3. An assessment of the operational effectiveness of the RP’s AML/CFT controls that involved sample testing across relevant applicable areas. A sample population of 673 customer files was selected across all the selected RPs. File sampling took place by a combination of random selection and selection based on specific characteristics of the customer e.g. risk profile. The Authority assessed each file for compliance with applicable customer identification and verification legislation, rules and standards of the Cayman Islands and the Authority. 
  4. The Authority has prepared individual reports for the RPs inspected and will take appropriate and proportionate action where necessary. Individual RPs are not to consider this Circular as a source of confirmation as to whether any issued requirements have been met.

 

Sign up for our E-alerts

Be the first to know about releases and industry news and insights.