Onsite Inspections Findings, Licensees’ AML/CFT Supervisory Approach & Thematic Review

Onsite Inspections and the Use of ‘Requirements’ Stemming from Findings

Prior to the 2016 calendar year, the Cayman Islands Monetary Authority ("CIMA") classified the corrective actions emanating from onsite inspection findings into ‘Requirements’ and ‘Recommendations’. The expectation was that if an inspection finding has been deemed serious enough to be outlined or detailed within the onsite inspection report sent to a Licensee, the Licensee would comply with the corrective action as outlined or detailed. However, the use of the word Recommendations may have caused confusion, with some Licensees taking the approach that compliance with a Recommendation was optional.

The Regulatory Handbook issued by CIMA also allowed CIMA to issue suggestions, which were meant to be optional.

In June 2016, CIMA decided that all corrective actions to address material deficiencies observed during onsite inspections would be classified as ‘Requirements’ and that such requirements would be prioritised in order of severity. In response to industry requests, the Regulatory Handbook was amended in July 2017, to prioritise inspection findings and to remove the use of “suggestions”. 

CIMA has received questions about the applicability of this approach to Statements of Guidance (SoGs). SoGs represent CIMA’s minimum expectations of Licensees and are there to buttress the Rules, Laws and Legislation. SoGs therefore do have a binding effect. A typical example of a SoG that buttresses a Rule is ‘Responsibilities of Insurance Managers’. Amongst other things, this SoG deals with the control Insurance Managers must have over the Class B insurer, access to books and records and how this must be done from the Cayman Islands. This SoG reinforces Section 6 of the Insurance Law, 2010, that requires Insurance Managers to have full and proper records of the Class B insurer. 

As a result the corrective actions required for each onsite inspection finding are now classified as “Requirements”. Each Requirement is given a corresponding priority level where there is a breach of a Law, Regulatory Rule, and Regulatory Policy or where there are deficiencies as per the relevant SoGs and good governance. The Requirements must be adopted and implemented by the Licensee within the time frames specified under each Requirement. Licensees are required to provide monthly update reports to CIMA until the Requirements have been fully implemented. The monthly update report should indicate the status of the Requirements, the remedial actions taken by the Licensee, and the estimated completion date. If the implementation of any Requirements is delayed beyond the dates stipulated in the onsite inspection report, it should be brought to the attention of CIMA and highlighted in the monthly update report.

CIMA’s AML/CFT supervisory approach of Licensees conducting general insurance business 

CIMA utilises a risk-based approach to its supervision of Licensees in relation to the relevant laws, regulations, rules and guidance notes on Anti-Money Laundering (“AML”) and Combating the Financing of Terrorism (“CFT”) i.e. the Money Laundering Regulations (2015 Revision) (“MLR”); Guidance Notes on the Prevention and Detection of Money Laundering and Terrorist Financing in the Cayman Islands, August 2015 (“the AML Guidance Notes”); and the Proceeds of Crime Law, (2016 Revision) (“POCL”). 

In view of the above, CIMA looks at the inherent risks within a Licensee’s business and risk rates the AML/CFT risk accordingly. For example, the inherent risks of a bank account being used for AML/CFT purposes are higher than that of an insurance policy simply because it is easier to transfer funds via a bank account rather than an insurance policy. Furthermore, specifically in the insurance sector, it is widely accepted and agreed, as demonstrated through various FATF typologies, that life insurance business poses a higher AML/CFT risk than general insurance. 

Life insurance policies with an investment element and cash surrender value pose a higher AML/CFT risk than pure life policies that offer only protection without an investment and surrender value. Examples of life insurance policies that could be prone to AML/CFT abuse could be single premium life policies; annuity policies; high regular premium savings policies; policies that offer a refund of premiums and a cooling-off period; and policies that allow surrenders, redemptions and withdrawals.

This is not to say that general insurance products do not have an AML/CFT risk, albeit it might be considered to be lower than that of life insurance products. An objective of this Circular is to shed more light on CIMA’s supervisory approach to the AML/CFT treatment of Licensees conducting insurance business.

First and foremost, low risk does not mean no risk. Several cases exist wherein general insurance policies were used to launder money or fund terrorist activities. As such, the AML Guidance Notes requires all insurance companies and intermediaries to adopt sound risk management and internal controls for their operations. General insurers are not exempt from the AML Guidance Notes. The client, product, nature of business relationship formed and method of payment are a few of the factors that will affect the level of risk. It is therefore important for Licensees to develop a client profile for both personal and corporate customers. The AML Guidance Notes state that a significant factor determining the level of AML or CFT risk in any product is the level of premium payable on the policy and method of payment. A typical example would be a motor policy with an annual premium of CI$2,000 will present a much lower risk than one on a luxury car or car fleet in the case of a commercial motor policy, which commands a much higher premium and value at risk. Another example is property and casualty policies in the case of condominium developments. The premiums may be significant and insurers should be especially vigilant where requests are made for large premiums to be paid in cash. Insurers should equally ensure they have sound claims management as money laundering or terrorist financing can occur through overstated or spurious claims, e.g. by arson, staged motor vehicle accidents or other means causing a fraudulent claim to be made.

The AML Guidance Notes also provide examples of features of high risk and low risk general insurance products. It must be noted that while a policy may be considered inherently low risk, the manner in which it is used could increase the AML/CFT risk. An example would be a single travel policy. This could be considered low risk because the premium is low and the term date is short. However, an annual or group travel policy may be considered to pose an increased risk and controls should be applied appropriately. 

Policies that have high premium amounts; enable payments in cash; allow overpayments; and allow the cancellation and refund of premium are a few examples of possible higher AML/CFT risks. 

It should be noted that while some general insurance products might not be suitable for direct money laundering, the greater risk of fraud will generally mean a greater risk of AML/CFT. It is therefore pertinent that Licensees implement robust fraud prevention policies and procedures.

AML/CFT Thematic Review Findings

At the request of CIMA, 8 Insurance Licensees, primarily life insurers, were required to engage an independent party to conduct focussed AML/CFT assessments. In line with the Authority’s and the Division’s risk-based approach to supervision, CIMA selected Licensees for the AML/CFT Thematic Review based on the risk assessment of the Licensees, the date of the last inspection, the date of their last AML/CFT risk assessment, and perceived AML/CFT risks, amongst other factors. 

The purpose of the AML/CFT Thematic Review was to assess the Licensee’s compliance with the Insurance Law, 2010 (the “Law”), the Monetary Authority Law (2016 Revision) (the “MAL”), POCL, MLR as well as other applicable legislation and accepted standards of best practice. The focus was on AML/CFT, with a view to not only determining the level of compliance of individual Licensees, but to garner a sense of industry compliance. A summary of the aggregate findings is set out below in an effort to raise awareness and assist the wider industry to improve standards. 

Findings

Whilst two of the Licensees selected for the AML/CFT Thematic Review demonstrated a very high level of compliance, a number of areas of improvement were identified for all, with the majority of Licensees demonstrating a basic level of compliance. The individual and aggregate findings from the AML/CFT provide some interesting insights into the AML/CFT policy, procedural and internal control gaps within both the general and life insurance sectors. There were a number of failings where Licensees had not complied with the requirements of the MLR and the AML Guidance Notes. 

CIMA will continue to work with the affected Licensees to carry out the corrective action required in order to ensure full compliance. CIMA also takes this opportunity to inform the sector to be aware of these findings and avoid similar pitfalls. CIMA is minded to enforce compliance and will consider enforcement action against Licensees that fail to comply with AML/CFT regulations and regulatory laws.

The key findings of the thematic review are summarised below:

Requirements of the Money Laundering Regulations 

The MLRs require that relevant persons have in place anti-money laundering policies, procedures and practices, as summarised in section 5(1) of the Regulations. In addition relevant persons are specifically required not to form business relationships or carry out one-off transactions with or for another person without:

(a) Maintaining procedures which establish the identity of the Applicant for Business. 
(b) Maintaining record keeping procedures. 
(c) Adopting appropriate internal controls and communication procedures. 
(d) Complying with the identification and record keeping requirements. 
(e) Adopting appropriate measures to ensure that employees are aware of and comply with the procedures and the enactments of money laundering. 
(d) Providing appropriate training for employees. 

38% of the Licensees selected for the review were found to be in breach of this requirement.

Identification Procedures

?Section 3 of the Guidance Notes sets out two important aspects of knowing your customer, first being satisfied that a prospective customer is who he/she claims to be and is the ultimate client, and secondly ensuring that sufficient information is obtained on the nature of the business that the customer expects to undertake, and any expected, or predictable pattern of transactions. When considering entering into a business relationship, Licensees are expected to follow certain principles to ascertain the level of identification and verification checks to be completed on a customer. Prior to entering into a business relationship a Licensee is required to obtain full identity of the prospective customer including but not limited to nationality (country of incorporation in case of artificial person), the nature of business conducted and expected frequency of transactions with the Licensee. A Licensee is expected to obtain and verify appropriate documentary evidence to support representations made by prospective customers. Original documents or copies certified by suitable certifiers are required for this purpose. 

All Licensees selected for review were found to be in breach of this requirement

Procedures for Introduced Business

Section 3.67 – 3.84 of the AML Guidance Notes require that certain specified procedures be followed during identification and on-boarding process when a customer is referred by an Eligible Introducer. Such procedures should enable insurers to be able to produce satisfactory evidence of identity of the applicant for business. The Licensee is ultimately responsible for ensuring that adequate due diligence procedures are followed and that the documentary evidence of the Eligible Introducer, that is being relied upon, is satisfactory for these purposes.

25% of Licensees selected for review were found to be in breach of this requirement.

Treatment of Business Relationships Existing Prior To Enactment of The Regulations

Section 3.109 of the AML Guidance Notes requires Licensees that had business relationships prior to 30th September 2003 to adopt the following procedures to ensure that the necessary information is obtained on all existing customers: 

• Establish what constitutes satisfactory evidence of identity for its existing clients to be in compliance. 
• Conduct a risk assessment of the clients, and make a distinction between high and low risk cases. 
• Give immediate priority to obtaining the information required by the Guidance Notes for the identified high-risk cases. 
• Conduct the necessary due diligence on the remaining low risk cases over a longer term. 

38% of Licensees selected for review were found to be in breach of this requirement.

On-Going Monitoring of Business Relationships

Section 4 of the AML Guidance Notes provides that once the identification procedures have been completed and the client relationship is established, a Licensee is required to monitor the conduct of the relationship/account to ensure that it is consistent with the nature of business stated when the relationship/account was opened. This includes but not limited to developing, implementing and maintaining adequate written policies and procedures for taking reasonable measures to ensure that documents, data or information collected during the identification process are kept up-to-date and relevant by undertaking routine reviews of existing records. 

50% of Licensees selected for review were found to be in breach of this requirement.

Internal Reporting Procedures for Suspicious Activities

Section 5 of the AML Guidance Notes requires that Financial Services Providers must establish written internal procedures manual so that, in the event of a suspicious activity being discovered, all staff are aware of the reporting chain and the procedures to follow. Such manuals should be periodically updated to reflect any legislative changes. In addition, each Financial Services Provider should designate a suitably qualified and experienced person as Money Laundering Reporting Officer (“MLRO”) at management level, to whom suspicious activity reports must be made by staff. It is also recommended that Financial Services Providers identify a Deputy, who should be a staff member of similar status and experience to the MLRO.

63% of Licensees selected for review were found to be in breach of this requirement.

Compliance Management

Section 6.3 of the AML Guidance Notes requires that Financial Services Providers’ compliance management should include the appointment of a Compliance Officer, who may also be the MLRO, at the management level. A compliance officer should be sufficiently skilled and experienced, report directly to the board, have sufficient seniority, have sufficient resources including sufficient time and staff and have unfettered access to all business lines

13% of Licensees selected for review was found to be in breach of this requirement.

Employee Training

Section 6.7 of the AML Guidance Notes requires that where Financial Services Providers have staff they should ensure that all appropriate staff, (in accordance with Section 5(1) of the Regulations), receive training on money laundering prevention on a regular basis, ensure all staff fully understand the procedures and their importance, and ensure that they fully understand that they will be committing criminal offences if they contravene the provisions of the legislation.

38% of Licensees selected for review were found to be in breach of this requirement. 

Record Keeping Procedures

Section 7 of the Guidance Notes requires that Financial Services Providers maintain, for at least 5 years, all necessary records on transactions to be able to comply swiftly with information requests from the competent authorities. The goal is for Licensees to be able to reconstruct individual transactions and if necessary provided evidence for prosecution of criminal activity. 

13% of Licensees selected for review was found to be in breach of this requirement