In a Notice dated 25 January 2019, the Cayman Islands Monetary Authority (‘CIMA’) reminds entities registered under the Cayman Islands (‘Cayman’) Securities Investment Business Law (2015 Revision) (‘SIBL’) of their Anti-Money Laundering (‘AML’) Countering the Financing of Terrorism (‘CFT’) responsibilities. It also sets out issues which have arisen in 2018 audits which may help organisations identify areas which they may need to address in their own organisation to ensure that the expected standards are being met.
What are these audits?
In 2018 CIMA has been asking companies registered to conduct securities investment business as an Excluded Person (‘Excluded Persons‘) to have their AML/CFT systems and procedures audited by an appropriately qualified professional to assess the entity’s compliance with The Anti-Money Laundering Regulations (2018 Revision) (the ‘AMLRs’). CIMA then uses the resulting audit to assess how frequently it needs to carry out further audits on the Excluded Person.
Can CIMA do this?
CIMA can ask for these audits in the exercise of its powers, pursuant to Section 5(5) of SIBL. The AMLRs and the Guidance Notes on the Prevention and Detection of Money Laundering and Terrorist Financing in the Cayman Islands, December 2017 (‘AML/CFT Guidance Notes’) (and Schedule 6 (16) of the Proceeds of Crime Law (2018 Revision)) require entities conducting relevant financial business, including those carrying out securities investment business, whether or not licensed with or registered by CIMA, to comply with the applicable laws and obligations to prevent and report money laundering, terrorist financing and proliferation financing.
What common failings has CIMA found?
A review of the AML/CFT reports received during 2018 identified the following common themes and key control deficiencies:
- Failure to adequately document AML/CFT policies and procedures;
- The wholesale adoption of group-wide AML/CFT policies with no evidence of a gap analysis having been undertaken to ensure that they comply with Cayman requirements;
- Failure to adopt or adhere to outlined AML/CFT policies;
- Lack of a client risk matrix, undated risk assessments or inconsistent risk ratings;
- Failure to adequately document client acceptance procedures;
- Inconsistencies when reporting suspicious activities
- Lack of evidence to support on-going monitoring, such as data scrubbing and receipt of updated Know Your Customer (‘KYC’) due diligence;
- Lack of evidence to support adequate AML training for staff, the Money Laundering Responsible Officer (‘MLRO’) or Senior Management.
What will an audit look at?
CIMA explains in the Notice the scope of an AML/CFT audit report. At a minimum this should assess whether the entity:
- has adequate AML/CFT policies and procedures, internal controls/risk management and implementation of the same;
- is carrying on business in a fit and proper manner, as are its Directors;
- conducts periodic reviews of its operations against the AML/CFT and current industry best practice;
- maintains a relevant client Risk Matrix and has in place adequate identification procedures around the on-boarding of clients;
- has adequate internal reporting procedures, including the maintenance of a suspicious activity reporting log;
- has adequate record-keeping procedures and maintenance thereof in accordance with prescribed periods as required under the AMLRs;
- demonstrates separation of the role of the Anti-Money Laundering Compliance Officer and the MLRO from the shareholders of the Company; and
- has adequate identification and record keeping policies and procedures relating to wire transfers;
- provides adequate AML training to its management, staff and in particular, the MLRO;
- conducts a gap analysis to ensure any global policy complies with Cayman AML/CFT framework;
- has marketing material which includes false or misleading representations, or omissions that could ultimately mislead investors.
New forms for Registration and Renewal of Excluded Persons
In an earlier Notice dated 9 January 2018, CIMA set out revisions to the Excluded Persons Renewal and Registration forms, which require additional information (see here).