Cayman Islands SIB Registered Fund Managers: Understanding CIMA requirements for control testing and ES and AML inspections

Ali: Hello, everyone, and thank you for joining us for today’s webinar. I’ll pass you on to my colleague Elaine Chow. Thank you, Elaine.

Elaine: Thanks, Ali [SP]. Hi, everyone. Thank you for joining our webinar today, which is focusing on Cayman investment manager and advisor entities registered at SIB Registered Person with the Cayman Islands Monetary Authority. Today we have over 100 registered for the webinars, which is a great turnout. If you have any questions that you would like to discuss following the webinar, please feel free to reach out to any of us, and we will be more than happy to provide any additional information and answer your questions.

While we have put together an informative agenda, our Cayman subject matter experts will be in Hong Kong and Singapore at the end of April, where Waystone will be hosting physical roundtables to go through these and related topics in more detail. There will be no charge to attend the roundtables, and you’re welcome to extend an invitation to your teams. However, our space will be limited, we do encourage you to register as soon as possible.

Speaker introductions

As a quick introduction of our moderators and speakers today, my name is Elaine Chow. I’m a director based in Hong Kong, and I’m part of the business development team. I will be one of your moderators today. My co-moderator is Joost Lobler, a managing director based in our Hong Kong office as well. He’s also part of our global business development team, supporting the business development activities of Waystone within the Asia-Pacific region.

Our speakers today are from Cayman, the Cayman subject matter experts who are based in Cayman Islands. We have Lynden John, who is an executive director and heads up our Cayman product development. So our speakers today are Cayman subject matter experts, and they are based in the Cayman Islands. Lynden John, who’s an executive director, and heads up our Cayman product development, where he provides structuring and regulatory solutions to our asset manager clients. And he also serves independent directors and advisory committee members to Cayman Funds. Our second speaker today, Alan Kelly, he is an executive director, and heads of our economic substance solutions. Alan manage our dedicated substance team that provides substance to a wide range of Cayman-domiciled asset managers. And he’s also responsible for managing Cayman’s host asset manager platform service, which directly manage approximately $13 billion of assets under management. Our last speaker today is Darragh Murphy, he’s a director in our economic substance team in Cayman, where he manage and provides all oversight to the team performing the portfolio management and risk reporting to fulfill the Core Income Generating Activities, CIGA. He also provides independent directive service to Cayman Asset Managers and funds as well.

Joost: Thanks for the introduction, Elaine. So now let’s jump right into it. The first question is for you, Alan.

From your perspective as our head of economic substance solutions, what are the main area a SIB Registered Person, or a Cayman investment management company should be focusing on in 2023?

Alan: Thank you Joost, and good morning everybody. I guess in addition to the usual SIB regulatory requirements, the three main areas of focus for this fiscal year, I would say, are the proposed new rules and guidance notes I guess in respect to internal controls for SIB Registered Persons, the increased frequency of CIMA inspections on SIB RP entries, and their annual control reviews and I guess ultimately their AML compliance. Also, then we are looking at the increased DIT inspections in respect of economic substance compliance and ensure that all relevant entities are, one, I guess, able to demonstrate that they meet their economic substance obligations and that they’re having adequate and appropriate CIGA-conducted within the Cayman Islands. And also, I guess then, that their adequate number of suitably qualified employees within the islands. Just for context as well, Joost, I guess, when we’re referring to the DITC, DITC is the Department for International Tax Cooperation and I guess they’re responsible for administering all of the Cayman Islands’ legal frameworks for the international cooperation in tax matters.

Joost: All right. Thanks, guys. Then off to Lynden, so in the first week of January, SIB managers received a circular issued by CIMA asking the registered person entities for an internal audit plan and a request to provide audit reports to the regulator.

Can you shed some light on this and what should managers understand about CIMA is actually expecting from them?

Lynden: Thanks, Joost. The circular that was released was released before the new proposed guidance notes and rules haven’t actually been gazetted. And so technically the rules are not quite yet in force, but it’s very clear that the regulator’s expectation is that SIB registered persons should start taking the steps to be in compliance sooner than later. But once those rules have been gazetted they will be enforced by the regulator. And the regulator’s approach will be that they had given industry significant and adequate notice before they’re being gazetted.

So the question really for SIB registered persons is, what is adequate controls? And because SIB registered persons cover such a wide range of different activities related to securities, some registered persons are passive and answers all functions and have no employees, while others actively manage trade accounts. So for the first question that managers should understand is understand the scope of activities. And my examples are quite simple.

The SIB registered person who delegates all investment decisions to a sub-advisor and has no employees would not have many requirements for controls. And the main controls would basically be controls around the governance framework, controls around anti-money laundering, controls around outsourcing. And the key would really be around outsourcing because it’s not just that you have controls about who you select to do the services, but also how you monitor them and ensure that your service provider has adequate and appropriate controls in place. For example, internal controls, business continuity policies and procedures, and cybersecurity.

Whereas a SIB registered person who actively manages a portfolio and trades, has several employees and outsources may be some CIGA for substance, would have a much greater need for more controls. And you would consider whether or not you’d have to have business continuity policy procedures at the manager level, employee policies and procedures, case management, investment, anti-money laundering, cyber security, etc., etc. And these controls need to be documented in either an operating manual or a policy and procedure. And these policy procedures can’t just be generic. They need to be tailored to your business so that not only do they fulfill the guidance and the rules, but it makes sense when you test these controls. With that would come an internal audit plan and that will be relative to the size, complexity, and the nature of your business.

So how do you test this? It’s actually quite straightforward. A person or an independent team who’s independent of the directors or a SIB registered person will need to establish an internal control plan and determine the frequency of controls to be tested. We already have to contest the anti-money laundering controls every year. We do have to have two board meetings every year. So it wouldn’t be a large stretch to add a few extra tests. In my first example, your internal audit may just document the evidence that the internal audit plan exists and that someone has had the two board meetings. Whereas if you have a more complex SIB registered person, you’d really have to consider the impact of the controls. What would be adequate with cash management, for example, should be an annual basis, whereas business-continued planning could be buy-in every two or three years. What is key is that the internal controls are coming and it’s worth getting ahead of this before the regulations are in place. Sorry, I’m gonna cough. Hang on. Sorry.

Ali, if you could go back to consider the frequency on the internal order scope over a few periods and start again? What are the key takeaways? Internal controls are coming and it’s worth getting ahead of the regulations sooner than later. Don’t overcomplicate what you need to do. Understand your SIB registered person’s role to identify the key controls required so you know what you need to be tested. Ensure that these key controls are documented and identify who is best placed to perform internal audit control, who is best suited, and whether this should be outsourced or if you can get in-house. And then also ensure that once you’ve completed your internal audit control and your internal audit report, it’s prepared and submitted to CIMA within the prescribed timeframes.

Joost: So, Lynden, to sum up what you just said, is that while there’s a lot to understand to the new regulations, it might make sense to speak to a firm like Waystone to assess your specific requirement and understand where you fall in the scope before going out and spending a significant amount of time and effort and possibly money only to realize that you could have fulfilled your obligations with simpler controls. Right?

Lynden: That’s exactly it. If you consult before you go and spend a considerable amount of time, it’ll be very beneficial to you to consult with your trusted service providers.

Joost: Okay. Okay, then over to you Darragh. Asset managers everywhere in the world, including Asia, have noted a significant increase in regulatory requests for their SIBs.

Can you shed some light on why this is and what SIB managers can expect in 2023 this year?

Darragh: Thanks, Joost. Absolutely. So for the last couple of years since CIMA have put more robust regulations in place, they’ve also increased their inspections. And it’s not really just inspections, but also seeking more information through their requests for information such as the SVB Bank matter recently. And they’ve also expanded the AML surveys to SIB registered person entities in 2022. So the SIB registered person AML survey caught many service providers and SIB managers off guard, this is because the survey itself was extremely broad and was designed to capture almost all scenarios for SIB registered persons’ AML activities. At first glance, the 500 or so questions were quite overwhelming and many AML COs and directors may have been at a loss as to where even to begin, especially given the tight deadlines around the turn of the year.

For the majority of these managers, the responses for the survey were either generically the same or not applicable to the asset manager class. As such, our product team had an opportunity where they were able to create an automated tool to assist managers complete the survey within a few hours. We also actually assisted many non-Waystone clients where their service providers were unable or unwilling to assist for whatever reason. The survey itself lit some key deficiencies for some managers. For example, managers not having completed an AML control review within the last 12 months and in some cases ever or, you know, not holding the two required board meetings in the last fiscal year.

And then I guess what this led to was it ties into the common findings the regulator is finding in its inspections, which are frequent AML control reviews not being undertaken, or if they are being undertaken, they’re not addressing the AML controls required for SIB registered persons. Along with that, directors and officers of the SIB registered person entities are not completing Cayman-specific training. So some of them are completing AML training per se, in each of their respective jurisdictions, but not Cayman-specific, which is important. Again, not having at least two board meetings in a fiscal year, which is in line with the CIMA statement of guidance, and not undertaking any CDD on the funds that they have been appointed on, and importantly, unable to show how they risk-rate each of their clients.

So, I guess to answer your question, Joost, what should managers see in 2023? I think it’s right to break this into four aspects. So one, managers should be prepared for another survey. Now that CIMA have done it, they’re likely to do it again and it would be prudent to have the information ready for the survey in advance for request. Number two, managers should anticipate that the SIB registered person entity be inspected. And if an inspection request is received, understand how best to respond within the timeframe provided. Again, here, we need to remember there was tight deadlines last time around. In the event that CIMA identifies some findings, ensure that they’re then addressed within the relevant deadline and that the board approved the remediation of any findings.

The fourth item that I’d like to bring to people’s attention is fines. Fines are certainly something that are probably gonna follow these inspections and audits, let’s say. So managers and operators who are not prepared have not put in controls or are not adhering to legislation rules or the guidance notes are likely to be faced with enforcement by way of fines or penalties. We’ve seen a lot of service providers and some managers receive quite hefty fines in the last two to three years. The biggest one that we have seen is over $5 million. And the expectation is that the enforcement and fines will continue to be levied into the future.

Joost: Right. So the message here is be proactive. Don’t wait and see because it might become very expensive. At the same time, if your current service providers can’t assist you with this service on time, you may want to consider a service provider who is sophisticated enough and able to respond to such requests on short notice and fulfill your obligations as needed. I’ll move on to another question here.

Are SIB registered persons in scope?

In 2019 and 2020, there was a lot of information going around about economic substance and whether a SIB registered person was in scope, and if so, what would be deemed adequate and appropriate. Now, two years on, does the industry and the regulator have a clearer understanding of what is adequate and appropriate and have there been any inspections by the Department of International Tax Cooperation, the DITC in this regard?

Alan: Thanks, Joost. The short answer is yes to all your questions. I guess firstly, the guidance notes were agreed in 2020 now, and the DITC is now testing whether SIB registered persons who are in scope have adequate and appropriate substance in place. I guess what we have found in the last year or so with potential clients is that if they’ve received inquiries from the DITC or they’ve started to assess whether what they have in place is adequate and appropriate, or indeed if they have considered it adequate and appropriate in the past, if this remains to be the case, there does remain significant gaps in their ability to demonstrate substance. I guess to explain this is important to understand when a SIB registered person is considered to be undertaking a fund management business as defined by the guidance notes.

The definition of fund management business encompasses relevant entities, which is a business managing securities belonging to another person, say, for example, being an investment fund. In circumstances involving the exercise of discretion pursuant to paragraph three of section two of the CIGA. The key here is being managed securities. The second part of understanding is how a SIB registered person is going to demonstrate the core income-generating activities. And remember those core income-generating activities are taking decisions on the holding of and selling of investments, calculating risk and reserves, making decision on currency and interest fluctuations, and hedging positions, and lastly, then, preparing reports or returns or indeed both to investors or regulators.

I guess what we have found is when clients have come to us to assess if what they have in place is already adequate and appropriate or what they have presented to us, let’s say for example, adverse findings from the DITC, in most cases, they have actually appointed Cayman-resident directors. So in theory they have a majority Cayman board. But when we look at it closely, I guess to CIGA, these have been sub-delegated to an advisor who’s actually outside of Cayman. As a result, there is no actual CIGA and internal substance in Cayman. I guess then for PE funds, we also find that, I guess, the board compositions are usually not majority Cayman board and there’s no formal process noting that the quorum must be in Cayman has been defined. So as such, investment decisions for PE transactions are not deemed to be made in Cayman, which essentially then underlines the CIGA.

I would say then for SIB registered persons to have adequate and appropriate economic substance, the SIB RP should really have the following. Number one, a majority Cayman-resident board. Two, the ability to demonstrate that the CIGA’s, again, for example, taking decisions in the holding and selling of investments or calculating risk reserves is actually undertaken in Cayman. Also, to ensure that the adequate amount of operating expenditure incurred in the islands, for example, that SIB RP retained Cayman-based services to assist the entities’ internal controls such as registered office, AML officers, FATCA, and CRS officers.

I guess in addition then, the main findings of the DITC that substance is not adequate and appropriately applied from the Caymans are relatively obvious. Some of the pitfalls we would have seen or indeed read about would be, for example, that the ESN that is the Economic Substance Notifications are correct. Again, remember the ESN is the acknowledgment if an entity is in scope or out of scope for economic substance. Secondly, then the economic substance return itself have not been filed or indeed have been filed and they’re inadequate. Also, then we see the ES classifications only addressed some of the activities and not all ES activities. Also, we see then SIB RPs have not registered for CRS, common reporting standards. Another one then we see then is SIB RPs’ and relevant entities not having frequent or adequate amount of board meetings. And not only having the board meetings but also document those board meetings by way of minutes as have been carried out in Cayman. And lastly, then we also see SIB RP boards are not undertaking self-assessment in respect of economic substance to assess if the entity is adequately and appropriately addressing its obligations.

Are managers surprised their economic substance is not adequate?

Joost: Okay. So, Alan, are managers surprised when they are informed that despite having Cayman directors, their substance is not adequate?

Alan: You’re correct, Joost. Yes, they are. And, you know, it can be a tricky discussion as Waystone is ultimately a service provider here and we want to be respectful of our competitors, but if you have a Cayman-resident director, one, they should understand what is required to undertake those CIGA that we mentioned. Two, then they need to be able to summarize what the SIB RP requirements are, and they’re in compliance with ES. I guess, which goes to my previous point, then, around self-assessment.

I would also say then that there’s only a few professional director services firms in Cayman who provide fund management services, that being risk reporting and portfolio management services here on island. I guess, I think the message if your Cayman service provider is not undertaking portfolio management or risk reporting, you should really consult with a firm such as Waystone as to whether you have the adequate substance. At the very least, you know, have that discussion, make an inquiry in the very first instance.

I guess in conclusion then, Joost, if I may, just to leave you with my key takeaways for consideration. Number one, I’d say now that the DS regulations have settled and the DIT has started to test relevant entities implementation of the regulations, it’s important for managers, and I guess entities’ boards to assess whether or not the substance that they already have in place is adequate and appropriate. Again, if there’s any doubt, it’d be prudent to have that discussion. Make the inquiry, just make sure that there’s no gaps whatsoever because, again, it goes to the fines and penalties for non-compliance for no material. And as such, now that we’re in 2023 and the legislation is a few years old, the breach may be for multiple years increasing the possible fines. I can guess the DITC handling of how the breach goes.

Joost: Okay, thanks, Alan. This brings us to the end of our webinar and we appreciate your informative updates of the matters that SIB registered persons need to be aware of this year. Thank you very much. I’m sure many people on the line today have questions or want to discuss some of these topics in more detail. So of course we are happy to schedule some time with you if you want. Our contact details of Elaine and myself are on the sheet you see here in front of you. And again, our Cayman subject matter experts will be in Hong Kong and Singapore at the end of April and early May. If you want to meet them in person to discuss the various topics of today or any other related topic, please let us know and we’ll schedule some time with you. And I thank everyone for attending our webinar.