Recent Cayman Islands regulatory developments

By Chris Capewell; Martin Livingston; Yunie Wong; Daniel Moore, Maples Group

Published: 18 September 2023

Cayman Islands satisfies all FATF AML/CFT recommendations and action points

In order for jurisdictions to participate effectively in global financial markets, it is imperative to meet international standards set by supra-national agencies. 

A key example includes the Financial Action Task Force’s (FATF)  evaluation of countries’ anti-money laundering / counter-terrorist and proliferation financing (AML/CFT) regimes. The FATF now assess these regimes for both ‘technical compliance’ (i.e., whether the FATF’s Recommendations have been implemented in local laws) and ‘effectiveness’ (i.e., whether such local laws are being applied and enforced).

Why was the Cayman Islands added to the FATF’s and EU’s AML/CFT ‘Monitoring List’?

The Caribbean Financial Action Task Force (CFATF) conducted the 4th round of mutual evaluation of the Cayman Islands in late 2017 and produced the mutual evaluation report in March 2019. While the report recognised the well-established AML/CFT framework, it identified certain shortcomings in effectiveness, which led to an extension of scope of the AML/CFT National Risk Assessment, greater regulation of the securities sector, further transparency of beneficial ownership and greater interaction between the investigative agencies for enforcement and prosecutions.

On the latter point, the FATF noted that the Cayman Islands Action Plan should include “(1) applying sanctions that are effective, proportionate and dissuasive, and taking administrative penalties and enforcement actions against obliged entities to ensure that breaches are remediated effectively and in a timely manner; (2) imposing adequate and effective sanctions in cases where relevant parties (including legal persons) do not file accurate, adequate and up to date beneficial ownership information; and (3) demonstrating that they are prosecuting all types of money laundering in line with the jurisdiction’s risk profile and that such prosecutions are resulting in the application of dissuasive, effective, and proportionate sanctions” (Action Points).

Accordingly, in February 2021, the FATF added the Cayman Islands to its AML/CFT ‘Monitoring List’ (sometimes referred to as the FATF’s ‘grey’ list). The jurisdiction made a high-level political commitment to work with the FATF and CFATF to strengthen the effectiveness of its AML/CFT regime and remediate the Action Points. Consequently, in February 2022 the European Commission added the jurisdiction to its list of AML/CFT high risk jurisdictions.

How has the Cayman Islands satisfied all FATF Recommendations and Action Points?

The Cayman Islands Government, regulatory and enforcement agencies, and the jurisdiction’s stakeholders, made the removal of the Cayman Islands from these lists their greatest priority over the past three years. Action Point (1) was the remit of the Cayman Islands Monetary Authority (CIMA) and other AML Supervisory Authorities to resolve. Over the past three years, CIMA has increased the frequency and scope of its prudential inspections and has issued several breach notices and administrative fines to licensees for failures in AML/CFT controls. Similarly, for Action Point (2), the Ministry of Financial Services, as the competent authority for the beneficial ownership register regime, issued several enforcement notices for failure to file or record appropriate information.

Action Point (3) may have been the hardest to resolve, given the nature of money laundering prosecutions. Ordinarily, prosecutions are conducted in the jurisdiction where the predicate money laundering offence (i.e., the crime underlying the money laundering) occurred. For the Cayman Islands, and other offshore financial centres, while transactions may involve investment or finance vehicles established offshore, the activity or transaction is usually conducted or effected onshore.

As such, the offshore authorities usually support an onshore investigation or prosecution by sharing information with those authorities. Fortunately, (for the purpose of being de-listed), there were a couple of domestic money laundering matters which were prosecuted in 2022 resulting in sentencing in early 2023. 

The Cayman Islands governmental delegations have been attending each FATF Plenary, since being listed, to provide progress updates on each of the Action Points, and any other relevant legislative developments.

On 23 June 2023, the FATF confirmed that the Cayman Islands had satisfied all FATF Recommendations and Action Points on both ‘technical compliance’ and ‘effectiveness’, recognising that the jurisdiction has robust and effective AML/CFT regimes. The FATF’s decision is a welcome recognition of the Cayman Islands as a jurisdiction, which is fully committed to implementing internationally accepted standards. 

What benefits would the removals from the FATF’s and EU’s AML/CFT ‘Monitoring List’ bring to users of Cayman Islands vehicles?

Following successful completion of an on-site inspection by the FATF, the jurisdiction will be eligible to be removed from the FATF’s ‘grey’ list at the FATF’s October 2023 Plenary. It is expected that the de-listing should also result in the jurisdiction’s removal from the EU’s AML/CFT List. The Ministry of Financial Services continues to hold direct discussions with EU officials with a view to making progress on regime enhancements to facilitate removal from the EU’s AML/CFT List.

Both de-listings should eliminate any restrictions in conducting business with Cayman Islands vehicles and enhance global confidence in the use of Cayman Islands.

New and improved regulatory measures for CIMA regulated entities

On 14 April 2023, CIMA released a series of updated and new regulatory measures for all regulated entities, following industry consultation and feedback. The new measures, which come into effect on 14 October 2023, include the Rule and Statement of Guidance1 (SOG) on Internal Controls and a Rule on Corporate Governance for Regulated Entities. 

Why were the new regulatory measures issued?

In keeping with the commitments made to the FATF for enhanced regulation of certain sectors (including securities), CIMA has updated pre-existing Rules and SOGs and expanded their scope and application to certain regulated entities for consistency. Internal controls and corporate governance are key components across numerous international standards and the new measures align with international standards, e.g., Organisation for Economic Co-operation and Development (OECD) and International Organisation of Securities Commission (IOSCO). 

What do regulated entities need to do?

The objective of the new measures is to ensure that all regulated entities establish, implement and maintain a corporate governance framework and adequate and effective internal controls. 

CIMA will expect compliance to be evidenced by documentation and in practice. Documents evidencing implementation may include policies and procedures, compliance registers, board resolutions, governing body self-assessments, service agreements and constitutional documents. 

The new measures should not create any undue burden for regulated entities, as they largely reflect internationally accepted principles.

CIMA recognises that the application of such requirements is proportionate and may vary subject to the size, complexity, structure, nature of business, risk profile and operations of the regulated entity. Delegation to, or reliance on, the systems and controls of service providers or group entities through outsourcing arrangements is also permitted, subject to such policies and procedures meeting the requirements within the new measures and generally under Cayman Islands laws and regulations.

Why should regulated entities comply with the regulatory measures?

CIMA oversees regulated entities’ implementation of, and compliance with, the applicable Rules and SOGs by: (i) conducting inspections directly on regulated entities (e.g., investment managers and advisers) and indirectly on their service providers (e.g., fund administrators and corporate service providers), during which documents evidencing implementation and compliance would be reviewed by CIMA; and (ii) requesting information and confirmation via annual surveys issued to all regulated entities (except for mutual funds and private funds) to demonstrate implementation and compliance. Any deficiencies are likely to be recorded by CIMA and require remediation or enforcement.

The introduction of these new measures should boost global recognition and confidence in the use of Cayman Islands vehicles in all regulated business relationships. We explain the requirements and their application in further detail below.

New Rule and Statement of Guidance on Internal Controls

The new Rule and SOG on Internal Controls for Regulated Entities (IC Rule and SOG) is divided into two parts. Part I contains general rules and guidelines for all regulated entities (including regulated mutual funds and private funds). Part II contains sector specific rules and guidelines, in relation to fiduciary service providers (e.g., trust companies, company managers and corporate services providers) and securities investment business (e.g., investment managers and advisers).

The five key components that an internal control framework should address are: control environment; risk identification and assessment; control activities and segregation of duties; information and communications; and monitoring activities and correcting deficiencies.

The IC Rule and SOG include several documentation and reporting requirements, as well as enhanced risk assessment and response measures for governing bodies, senior managers and those performing control functions. Regulated entities should carefully examine these requirements against existing systems and controls to determine whether they need to be enhanced to the new standards.

New Rule on Corporate Governance

The new Rule on Corporate Governance for Regulated Entities (CG Rule) applies to all regulated entities, including mutual and private funds. 

The new CG Rule requires a regulated entity to establish, implement and maintain a corporate governance framework commensurate with its size, complexity, nature of business, structure, risk profile and operations. Similar to the IC Rule, the CG Rule will also be subject to proportional application.

The corporate governance framework must address, at a minimum: objectives and strategies; structure and governance of the governing body; appropriate allocation of oversight and management responsibilities; independence and objectivity; collective duties of the governing body; duties of individual directors; appointments and delegation of functions and responsibilities; risk management and internal control systems; conflicts of interest and code of conduct; remuneration policy and practices; reliable and transparent financial reporting; transparency of communications; duties of senior management; and relations with CIMA.

In addition to enhanced documentation requirements, governing bodies of regulated entities are required to meet, at least annually, to review and revise, as necessary, aspects of their corporate governance and internal control practices and frameworks to ensure there are no gaps in compliance with CIMA’s measures. Governing bodies can also use this meeting to assess outsourcing arrangements and receive updates and reports from service providers.

Statement of Guidance on Corporate Governance for Mutual Funds and Private Funds

The SOG on Corporate Governance for Mutual Funds and Private Funds has been extended to apply to private funds and is intended to provide specific industry guidance with respect to addressing obligations under the CG Rule. The nature of the regulatory requirements is largely unchanged, except to import appropriate terminology in relation to private funds, such as references to ‘marketing materials’ in addition to offering memorandum. The SOG also replaces previous references to ‘Governing Body’ with ‘Operator’, in keeping with the terminology in the underlying Acts.

The new obligations should not impact current operating practices in a material manner, as there is flexibility in how and when the arrangements are implemented, as explained above. The new measures may need to be considered and reflected in the responses to the FAR forms to be filed with CIMA for FY2023 and onwards.

Updated measures

The updated measures include revisions made to existing SOGs on Outsourcing, Records Management and Cybersecurity.

The updated measures continue to apply to the same regulated entities to which they applied previously. The Outsourcing and Cybersecurity measures do not apply to regulated private or mutual funds.

1   A Rule is a CIMA directive creating a regulatory obligation, breach of which may lead to regulatory enforcement action. A SOG is a measure for CIMA to assess compliance with a Rule or the law.