TCSPs Onsite Inspections Findings & Administrative Fine Regime

We have just commenced a new calendar year and it is apropos that the Cayman Islands Monetary Authority (CIMA) and licensees alike continue to concentrate on fostering a compliant environment. CIMA has therefore chosen to share a non-exhaustive summary of key findings for trust and company services providers which were identified throughout the Authority’s 2016 on-site inspection cycle. Such information will aim to highlight common recurrent areas of non-compliance of licensees which have been inspected by CIMA during the past year. 

Albeit, the trust and company services sector was found to be generally compliant with the relevant and applicable supervisory legislation, statements of guidance and standards. CIMA encourages all licensees to take note of the summary of findings below, and where applicable, take remedial steps to ensure that your organisation’s practices are being carried out accordingly.

In the summary below, the following are considered to be the core applicable legislation and guidance:

• Companies Management Law
• Banks and Trust Companies Law (2015 Revision)
• Guidance Notes on the Prevention and Detection of Money Laundering and Terrorist Financing in the Cayman Islands August 2015 

Summary of Inspection Findings

Compliance Reviews and Internal Audit

Inspections highlighted that some licensees failed to undertake regular reviews of existing clients, and some of the reviews undertaken, failed to differentiate the risk ratings of the clients. In such cases, documentation of specific required information was lacking. The inspection program showed that licensees, in some instances, failed to;

• document the nature of business or source of funds, outside of the generic descriptions. There is a need for more meaningful descriptions of how the entity operates, which will provide further explanation regarding the source of funds.
• certify copies of KYC documentation. Although the licensees have copies of KYC documentation on file, the documentation was not certified, per the minimum standard established by the Guidance Notes on the Prevention and Detection of Money Laundering and Terrorist Financing (ref)
• collect and maintain KYC documentation, in accordance with the licensee’s own policies and procedures. Even though robust policies and procedures have been established, licensees are required to adhere to such rules in order for them to have the intended effect. The licensee should therefore consider whether it needs to, as applicable, revise its policies and procedures or strengthen its compliance program.
• provide legible identification documents. In circumstances where licensees have met clients personally, it is imperative that any identification that is being kept as record must be clearly legible and in English (or supported by a certified translation).

A proper program of compliance and Internal Audit reviews will assist licensees in identifying and correcting some of these deficiencies. The Authority’s Statements of Guidance allow licensees to have the flexibility to implement a program that is appropriate to the nature and scale of the licensee’s business.

Policies and procedures

All inspected licensees had policies and procedures manuals in place, geared at compliance with the Cayman Islands’ Anti-Money Laundering (AML) framework. The inspections evidenced however, that manuals were not in all instances subject to a program of regular review to ensure that policies and procedures continue to be optimal for a dynamic environment. There were a number of instances in which updates to the local legislative framework was not evidenced in updates to procedures or references in the manuals. In some cases, group entities relied upon a group manual which addressed KYC and risk assessment for of business development. However, the licensee failed to adequately provide policy and procedural support which was specific to the licensee’s line of business, as well as the local legislation. A licensee’s policies and procedures should clearly and consistently document the licensee’s expectations of its staff, and ultimately its business. The policies and procedures should therefore be reflective of the licensee’s assessment and understanding of its risks. It is a fair expectation that licensees update their manual in keeping with their updated risk assessments. Licensees that fail to regularly update their policies and procedures, many times do not have the appropriate mechanisms in place to keep abreast of applicable changes to local policy and legislation.

Training

There were still a number of instances in which AML training programmes could benefit from improvement. Inspections also revealed that training programmes are generally for the licensees inspected. However, in instances of specialised activity, the expectation is that such programmes should consider the risks presented by that specialised activity. This includes the risks and requirements posed by the jurisdictions with which the licensee engages in business, and where such requirements can be adapted accordingly. There were also a number of instances where the training programme applied to members of general staff, the Money Laundering Reporting Officer and the Compliance Officer. However, the programme did not consider the training needs of the board of directors. The Authority expects licensees to implement training for all staff and members of the board, and that the training administered to each member of a licensee’s team is considerate of the responsibilities and duties of each person being trained. The Authority also expects that licensees determine a frequency for training of staff based on the risk and complexity of its business.

Eligible Introducers Testing

The jurisdiction allows licensees to meet their KYC obligations through placing reliance on Eligible Introducers (EI) in Schedule 3 Countries for KYC documentation. However, this reliance requires the licensee to access the KYC documentation in respect of the introduced business, as and when necessary. The inspections revealed that, in some instances, licensees did not test the reliability of the EI arrangements which they were entered into, to determine whether introducers would be able to meet their documentary obligations if they arose. 

Administrative Fines Regime

A 2016 amendment to the Monetary Authority Law provides for a new Administrative Fines regime, which gives the Authority the power to impose administrative fines for noncompliance with laws, regulation and rules. The accompanying Regulations to support the regime are in the process of being finalised.

The Authority will categorise breaches as being “minor”, “serious” or “very serious”. Minor breaches will be those regulatory infractions that fall under the Non-Discretionary Administrative Fines regime ($5,000 per breach – Maximum of $20,000 if ongoing). The serious and very serious breaches will be those regulatory infractions that fall under the Discretionary Administrative Fines regime (single fine $50,000 – $1,000,000).