Registered Persons (“RPs”) are defined under Schedule 4 and Section 5(4) of the Securities Investment Business Act (“SIBA”). RPs carry out securities investment business in or from the Cayman Islands, including dealing in securities, arranging deals, investment management, and providing investment advice. The SIBA provides for the regulation of the RPs engaged in these activities in or from the Cayman Islands, including market makers, broker-dealers, securities arrangers, securities advisors, and securities managers.
In 2020, the Cayman Islands Monetary Authority (“CIMA” or the “Authority”) commenced its risk-based approach to supervision of RPs to assess their anti-money laundering (“AML”), countering the financing of terrorism (“CFT”), countering proliferation financing (“CPF”) and targeted financial sanctions (“Sanctions”) (collectively, “AML/CFT”) policies, procedures, systems, and controls. The Authority conducted on-site inspections (“Inspections”) to determine whether RPs met the requirements of the Anti-Money Laundering Regulations (the “AMLRs”), the Guidance Notes on the Prevention and Detection of Money Laundering, Terrorist Financing and Proliferation Financing in the Cayman Islands (the “AML Guidance Notes”), as well as other applicable legislations, rules, and accepted standards of best practice.
In 2020 and 2022, the Authority published its first supervisory circular and second supervisory circular setting out the findings from Inspections conducted for the RPs in 2020 and 2021, and the controls required to be undertaken by the RPs to address the identified deficiencies.
From 2022 to date, the Authority has continued its risk-based approach to AML/CFT supervision of the RPs to assess their compliance with their AML/CFT obligations and compliance with the applicable laws and regulations. This Circular (the “Circular”) sets out the findings by the Authority from Inspections conducted on RPs for the period 1 January 2022 to 31 March 2024. The scope and methodology for the Inspections are set out in Appendix 1 below.
The Authority continues to remind all RPs of their regulatory obligations to adhere to legislation, regulations, regulatory rules and/or statements of guidance, and to ensure that their policies, procedures, systems, and controls are of an appropriate standard.
RPs should closely consider the findings in this Circular and ensure that their AML/CFT policies, procedures, systems, and controls are always of the appropriate standard, noting that they may be subject to an Inspection by the Authority.
More broadly, all Financial Service Providers (FSPs) may use this Circular to enhance their AML/CFT compliance. In particular, FSPs should focus on strengthening their regimes concerning policies and procedures, ongoing monitoring, employee training and oversight of compliance functions. In doing so, FSPs can reduce the risks of their businesses being abused by criminals.
This Circular derives from two sets of data, which have been separated as overall findings per RP inspected, and CDD and risk assessment findings, across files reviewed.
The Authority has observed an improvement in compliance by RPs since January 2022 and acknowledges the progress that RPs have made in implementing their AML/CFT policies, procedures, systems, and controls. Notably:
The chart below illustrates improvements in the implementation of AML/CFT policies, procedures, systems, and controls from October 2020 to March 2024:
Notwithstanding the encouraging results above, there were some instances where improvements were not seen:
A review of the RPs’ policies and procedures and the adequacy and effective implementation of their AML/CFT programmes including outsourced AML/CFT functions revealed the following weaknesses:
Policies and procedures
Identified areas | % of RPs inspected with indicated weaknesses |
---|---|
Risk-based approach | 58% |
Customer identification, verification, and ongoing monitoring | 41% |
Sanctions compliance systems and controls | 36% |
Internal reporting | 26% |
Employee screening | 13% |
Counterproliferation financing | 12% |
Record keeping | 10% |
Independent periodic AML/CFT audit to evaluate system controls | 9% |
Periodic review of procedural manuals to incorporate changes in the Cayman Islands regulatory framework | 6% |
Groupwide programmes | 5% |
Summary of CDD and risk assessment findings across the customer files reviewed
A review across all the customer files revealed the following weaknesses:
Detailed Findings of Inspections
The AMLRs and AML Guidance Notes require all RPs to put in place AML/CFT policies, procedures, systems, and controls appropriate for the nature, size, and complexity of their businesses.
The Inspections conducted considered each element of the AMLRs and AML Guidance Notes as set out below in the detailed findings of this Circular.
Regulation 5(a) of the AMLRs and Part II Section 2(b) of the AML Guidance Notes outlines the AML/CFT systems and programmes to be developed and maintained by all RPs.
Based on the Inspections conducted, RPs lacked appropriate policies and procedures as outlined in the Executive Summary.
RPs are expected under the AMLRs to maintain appropriate procedures proportionate to the size of their business. RPs are also expected to periodically review their procedure manuals to incorporate changes in the Cayman Islands regulatory framework. The frequency of review may be based on the size, nature, and complexity of the RP; however, it is expected to be done at least annually or where there are significant changes to the AML/CFT systems and obligations.
RPs that are part of a group are expected to implement group-wide AML/CFT programmes under the AMLRs. Additionally, RPs are expected to conduct a gap analysis between their group-wide AML/CFT programmes and the Cayman Islands AML/CFT legislative and regulatory requirements to ensure that they, at a minimum, comply with the applicable Cayman Islands requirements. Where gaps are identified during the gap analysis, RPs are expected to address those by making amendments to their AML/CFT programmes, as appropriate.
Regulation 12 of the AMLRs and Part II Sections 4 and 16 of the AML Guidance Notes outline the customer identification, verification, and ongoing monitoring procedures. Based on the Inspection results, 81% of the RPs indicated weaknesses in their CDD and ongoing monitoring programmes.
Specifically, 19% of findings across files reviewed lacked or had insufficient CDD documentation such as:
Further, 18% of findings across the files reviewed related to a lack of evidence to demonstrate that the RPs were implementing adequate ongoing monitoring procedures. For example, the following gaps were noted:
RPs are expected under the AMLRs to obtain all relevant information or data from reliable, independent source documents, data, or information to evidence that they have identified and verified the beneficial owners and other authorised persons who have effective control over the customer.
RPs are also expected under the AMLRs to implement adequate ongoing monitoring systems and controls which will enable them to ensure that documents, data or information collected under the CDD process are kept current and relevant to CDD, by reviewing existing records at appropriate times.
Regulation 5(a)(ix) of the AMLRs and Part II Section 10(b) of the AML Guidance outline the requirements for putting in place an appropriate effective risk-based independent audit function to perform periodic AML/CFT audits to evaluate the RP’s AML/CFT systems or controls.
From the Inspections conducted, 63% of the RPs indicated the following gaps in their AML/CFT Audit Function such as:
Under the AMLRs, RPs are expected to put in place an appropriate effective risk-based independent audit function proportionate to the nature, size, and complexity of their business activities. An AML/CFT Auditor is also expected to be operationally independent of the underlying activities and the related internal control processes. In addition, the AML/CFT periodic audits are expected to assess all RP’s relevant policies, procedures, systems, and controls in line with the regulatory requirements.
Regulation 5(c) and (d) of the AMLRs and part II section 10(E) of the AML Guidance Notes also outline the AML/CFT employee training and awareness guidance and/or requirement.
Based on the Inspection results, 37% of the RPs indicated weakness in their AML/CFT employee and directors training and awareness programmes. Specifically, the gaps noted included the following:
Under the AMLRs, RPs are expected to train their employees and also take appropriate measures from time to time to make employees aware of their AML/CFT procedures and the enactments relating to money laundering, terrorist financing, proliferation financing and targeted financial sanctions.
Regulation 3(1), 5(e) of the AMLRs, and part II section 2(C), (2) and (5) of the AML Guidance Notes outline the requirements to designate a person at the managerial level as the AMLCO who periodically reports directly to the Board or equivalent.
Under the AMLRs, the RP is ultimately responsible for complying with the applicable AML/CFT obligations. Therefore, the Board or its equivalent is expected to provide effective oversight of the RP to monitor its compliance with the laws and regulations of the Cayman Islands. Such oversight is an important part of setting a culture of compliance from the top down.
Regulation 3(2) of the AMLRs and part II sections 2(C), (10) (12) (13) (14) and section 10(C) of the AML Guidance Notes set out the requirements and/or considerations before and/or after placing reliance or outsourcing/delegating the performance of the RP’s compliance function.
Based on the Inspection results, 30% of the RPs indicated weaknesses in their delegation/outsourcing frameworks including:
RPs are ultimately responsible for compliance with the applicable requirements under the AMLRs. Therefore, it is essential that the Board or equivalent and/or senior management has in place a comprehensive outsourcing framework and provides adequate oversight for all the outsourced material AML/CFT functions.
Regulation 8 of the AMLRs and part II section 3 of the AML Guidance Notes outline to RPs how to assess risk and apply a RBA relative to their identified AML/CFT risks. As indicated in the summary of overall findings, 29% of the RPs inspected showed weaknesses in their assessment of risk and application of a RBA. Specifically, the RPs lacked the following:
In addition, 24% of findings across files reviewed revealed deficiencies including the following:
RPs are expected under the AMLRs to document the RBA including implementation and monitoring procedures and updates to the RBA. Accordingly, the documentation of the relevant RBA policies, procedures, review results and responses should enable the RP to demonstrate to the Authority:
Regulation 34 of the AMLRs and part II section 9 of the AML Guidance Notes also outline the requirements for internal reporting procedures.
Based on the Inspections, 10% of the RPs indicated weaknesses in their internal reporting procedures including:
Under the AMLRs, RPs are required to put in place adequate internal reporting procedures in line with the Cayman Islands regulatory framework including the designation of an independent MLRO/DMLRO.
Regulation 31 of the AMLRs outlines the requirements for record-keeping procedures to be maintained by the RPs. Further, Part II section 8(E) of the AML Guidance notes reiterates that RPs shall ensure that those records will be available to the Authority on request.
The Inspections conducted revealed that 10% of the RPs had weaknesses in their records management system. Specifically, the RPs failed to maintain an appropriate records management system to ensure that all their documentation is accessible to the Authority within the stipulated period.
RPs are required under the AMLRs to ensure that all their records are maintained in line with the regulatory requirements and can be made available to the Authority on request, and to the FRA or law enforcement authorities, in accordance with the relevant provisions.
Regulation 5(a)(v) and (viiib) and part II sections 13, 14, and 15 of the AML Guidance Notes outline the requirements for sanctions compliance policies, procedures, systems and controls.
For the RPs inspected, 28% of findings across files reviewed indicated weaknesses in gathering and maintaining sanctions screening documentation to evidence compliance with sanctions obligations applicable in the Cayman Islands. Specifically, gaps noted included:
Under the AMLRs, RPs are required to screen their customers and/or relevant parties or transactions to determine whether they are conducting or may conduct business involving any sanctioned person or person associated with a sanctioned person/country. Where there is a true match or suspicion, the law requires that RPs shall take steps that are required to comply with the sanctions obligations including filing of compliance reporting forms to the FRA. Additionally, RPs are required to file a SAR with the FRA, if they discover a relationship that contravenes a sanctions order or a direction under any applicable legislation, and document all the actions that were taken to comply with the targeted financial sanctions regime, and the rationale for each such action.
Regulations 21 and 22 of the AMLRs and part II section 5 of the AML Guidance Notes outline the criteria for applying SDD measures for low-risk customers.
The Inspection results revealed that 6% of findings across files reviewed revealed a lack of documented evidence for the rationale determining the applicability of SSD for low-risk customers. This compares to the 1% in the previous period. The criteria for applying SDD measures must be understood and appropriately applied.
Pursuant to the AMLRs, the Authority expects the RPs to document the basis for the application and implementation of SDD measures in line with the Cayman Islands regulatory framework.
The Authority has noted an improvement in compliance by RPs since the prior period’s results. However, there is still room for improvement in the effectiveness of the policies and procedures, particularly around CDD, ongoing monitoring and maintenance of an appropriate effective independent audit function.
The Authority has issued requirements to the inspected RPs and expects that they will address identified deficiencies in a timely and thorough manner. The Authority is also taking enforcement action where appropriate and proportionate.
The Authority continues to expect that all RPs will take note of these findings and act to ensure that their own AML/CFT compliance frameworks meet the standards prescribed and periodically assess their AML/CFT compliance programmes to ensure that they are appropriate for the nature, size, and complexity of their business.
The Authority will continue to promote its supervisory mandate through both offsite monitoring and onsite inspection processes. All FSPs are reminded that any breach of a law, regulation or rule or non-compliance with a statement of guidance may result in an enforcement action. This may also include, or be in addition to, the imposition of an administrative fine for any breach of the AMLRs.
This Circular is based on the inspection findings of one hundred and thirteen (113) RPs whose final reports were issued between 1 January 2022 and 31 March 2024.
The percentages for the overall findings in the executive summary of this Circular are expressed as out of those one hundred and thirteen (113) RPs unless otherwise stated. The table below shows the services offered by these RPs analysed:
Service(s) offered by the RPs inspected | Number of RPs |
---|---|
Securities Manager | 50 |
Securities Advisor | 33 |
Broker Dealer | 7 |
Securities Arranger | 9 |
Securities Manager / Advisor | 7 |
Securities Manager / Advisor / Arranger | 3 |
Securities Adviser / Arranger | 2 |
Broker Dealer / Arranger | 1 |
Broker Dealer / Manager / Arranger | 1 |
Total | 113 |
The scope and methodology of Inspections included, but was not limited to, the following:
Be the first to know about releases and industry news and insights.