How can managers be prepared for Cayman AML audits and inspections?
Hello, everyone, and thank you for joining us at today’s webinar on, how can managers be prepared for Cayman AML audits and CIMA inspections? I shall now hand you over to my colleague, Elaine Chow. Thanks, Elaine.
About the Panellists
Thanks, Ali. Good morning everyone and welcome to the webinar. My name is Elaine Chow and I’m a director at Waystone in Hong Kong. Waystone is a leading provider of institutional governance, risk, and compliance services to the asset management industry for more than 20 years. We are now supporting asset managers with more than $1 trillion in AUM. We’re very happy to have two of my colleagues speaking with us this morning, Fortune and Josephine.
Fortune is an associate director based in our Cayman office. He has extensive experience and knowledge of the Cayman AML regulations and other investment funds regulations. Acting as an AML compliance officer and money laundering reporting officer to Cayman entities, Fortune overseas clients’ AML Compliance Programs, and their regular audits. Previously, Fortune worked at CIMA as a chief analyst.
We have another speaker, Josephine, who is a director based in our Ireland office. She has extensive experience and knowledge on the area of AML CFT compliance. Same as Fortune, Josephine acts as an AML compliance officer and money laundering reporting officer to Cayman entities. Josephine is also responsible for reviewing the regulatory implication of various matters and provides AML guidance and recommendations. Previously, Josephine worked in the AML division of the Central Bank of Ireland as an AML supervisor, where she conduct inspection of regulated entities.
Webinar Topic Overview
Today we will discuss the topic, How Can Managers Be Prepared for Cayman AML Audits and CIMA Inspections? We will first give a quick refresher on the duty and responsibilities of AML officers, then we will give an overview of AML audit requirements and CIMA inspections. After that, we will also share some common findings of the CIMA inspection reports, since I think a lot of you will be interested to know, and we will talk through the filing deadlines and penalties. Lastly, we will quickly share how Waystone can help and try to address some questions from the audience. We will try to keep this webinar short, within half an hour. If you have any questions during the presentation, please put them in the question box in the control panel and we will try to address them at the end after the webinar. So, Fortune, over to you to start with giving a quick update on the AML officer’s duties and responsibilities.
Duties & Responsibilities of AML Officers
Thank you, Elaine. Yeah, duties and responsibilities of an anti-money laundering officer. I shall highlight that the appointment of AML Officers is a requirement of the law. And any financial service provider, an FSP, who is a licensee or registrant of CIMA is required to ensure that they have these AML officers and that they discharge their day-to-day obligations. The AML officers are required to be fit and proper to perform their role. I mean, they’re supposed to be suitably qualified at the management level and they have to be natural persons. And the most important thing is that they be autonomous, that is that they need to have the ability to make the final decisions, and they report to the board. And then they need to have access to all the relative information that they need to perform the assessments as to whether there’s any suspicious activities.
And some financial service providers provide…I mean, appoint their own staff members to open as the AML officers. And some, they outsource the functions to another service provider. However, compliance with these obligations under the AML regulations cannot be transferred to anybody and the responsibility cannot be moved to someone else. So, the financial service provider is still responsible for complying with the regulations and the AML/CFT obligations. And even if they outsource, the financial service providers are expected and required to comply with the requirements of Cayman law. So even if you outsource your AML functions to an AML officer who’s based in Ireland, like my colleague, Josephine, the expectation is that, as long as it’s a Cayman fund, it has to comply with the requirements of Cayman law.
Requirements of an Independent AML Audit
Having talked about the duties of the AML officers, I’m gonna move into the requirements of an independent AML audit, which is also a requirement of law Regulation 5 of the AML and Section 2 of the Guidance Notes who provide, among other things that there should be an AML audit performed on a financial service provider, which is commensurate with the entity’s nature, size, and its complexity. The scope of such audits should, at a minimum, assess if the directors are fit and proper, if the policies and procedures and internal controls are working properly or adequately set up for the type and size of that financial service provider, and should ensure that there’s periodic reviews of the company’s operations against the AML/CFT and current industry best practice. And there has to be adequate internal reporting procedures with a clear line of how everything is reported in terms of suspicious activities and adequate record keeping. It’s very important to have all your records up to date and easily, you know, auditable should the regulators want to look at them. Where you have group-wide policies that are adapted or adopted by the company, say, you have a group that is global, there’s need to make sure that the AML process or the AML program that is implemented on a Cayman subsidiary complies with Cayman law. So they need to be a gap analysis.
For example, if the group is based in Hong Kong, and they have a Cayman subsidiary and they are applying group-wide policies, there is need to look at the group AML program versus the requirements of Cayman law and then you imply…you implement the requirements for the Cayman subsidiary. If the Hong Kong laws are stricter or AML procedures are stricter, then that’s fine. But if they’re not, then you need to up it to the Cayman standards for the Cayman subsidiary. And also the internal audit needs to verify that there is a clear separation of roles between the money laundering compliance officer and the money laundering reporting officer from the shareholders of the company because of the obvious reason that the shareholders are the ones that are implementing the AML program, so they cannot audit their own program. There’s a need to have that independence.
CIMA Inspections: Why, When & What to Expect?
The big topic, CIMA inspections, why, when, and what to expect. As you know, Cayman had a review by CFATF in 2018. And they were required to have 63 recommendations that they were supposed to implement. And then in early 2021, FATF came and did an evaluation of that implementation of the 63 points. And Cayman was seen to have complied with 60 of the 63. And they are in compliance with 39 of the 40 FATF recommendations. But the three areas that they need to do or demonstrate is that they are applying sanctions to ensure effective and timely remediation of AML breaches by entities, and that they have adequate sanctions being imposed for entities that do not file up to date beneficial ownership information, and that they are prosecuting all types of money laundering in line with the jurisdiction’s risk profile.
We have seen, recently, an uptick in the number of entities that are being fined or that are being inspected. That’s the reason why there is an increase in the inspections. And when do they do the inspections? That’s up to CIMA and they determine when to come in for an inspection. They normally give you adequate notice to prepare for the inspection. The lead time is normally three weeks and people have to prepare and submit all the documentation into…and file it with CIMA. And they will review the documents, then they’ll hold meetings with the entity, the inspection process goes through.
And one important aspect of this is that when CIMA does an inspection, they are not inspecting your business model. They are inspecting their license because they grant you a license that allows you to perform a variety of roles. So, when they inspect, they are not necessarily looking at your business plan. I’ve seen a lot of times people say, “Well, we don’t do this. We don’t do that. So, why is CIMA looking for this information?” It’s because your license allows you to do that. So, whenever you have an inspection coming up, it’s important to review what the license you hold, and then put in place everything that’s required for that. They normally actually list everything that is required. And for us, we have the experience of what is required by CIMA.
And after an inspection, CIMA will give you a report, which is the inspection report, which lists the findings that they did. They kind of categorize the findings into matters requiring immediate attention. Those are the big issues. They are high priority and should be remediated within 30 days. That’s normally the standard lead time. And then the matters requiring attention, which is not exactly… It’s lesser demanding, it’s lesser of a finding, it still has to be rectified. It’s medium priority to low priority, that should be remediated. They give you between three months to six months, depending on the severity of the finding.
But it’s important, after you have an inspection, to keep in touch with CIMA and giving them regular updates in terms of the remediation of the inspection findings. Generally, what CIMA does, as any entity, you have a risk-based approach to how they do the inspections and how they look at who to inspect. So, once you’ve gone through an inspection, they will always look at, “Okay, where did we have many significant findings?” If they have a lot of significant or high-priority findings, that makes you a high-risk target. Or if they find that a lot of things are not in order, then you become a target for another inspection. So, the best thing to do is when they come in to do an inspection, it’s for them not to find any findings, or when they come back and they find again that you are a repeat offender or the breaches are being repeated, you might look like you’re ignoring them or you’re not understanding the requirements of the regulators. So they might end up then fining people.
Unless I lied, I’ve never seen a situation where CIMA fined an entity on the first inspection, but that’s what I have not seen. I’m not sure if they will fine people on first breach, but I don’t know if it can be that severe. I have not seen where they have fined entities after the initial inspection. But it’s always easy to avoid fines and to avoid many of these findings and have peace of mind. Engage the professionals, that simple. Most of the times, what we have seen is people don’t engage professionals, then they have an inspection, then they try and remediate. It gets very expensive.
Common Deficiencies in CIMA Inspections
Following up on the area topic, in terms of the findings, in terms of inspections, there is… I need to just highlight a couple of the common and key deficiencies that has been the common trend in the inspections that we have seen. But predominantly, these are on entities that normally do their own internal compliance work. There’s generally a lack of evidence for risk assessments that we performed in a timely manner. And most of the times when people are asked to provide risk assessments, they then rush to prepare risk assessment. They can see that this was prepared rushly. So it’s important to have it properly documented. There’s always a lack of oversight of the AML function. There’s no meetings being held. There is insufficient evidence that supports this ongoing monitoring of investor transactions.
Generally, the level of procedures and controls for ceasing the provision of services or discontinued businesses, there is weaknesses in the suspicious transaction reporting. People don’t know who to report, you know, the suspicious activities. They don’t know who their money laundering reporting officer is. Lots of deficiencies were identified on the onboarding processes of politically exposed people, perhaps. There is insufficient evidence that you, perhaps, or…this goes on top of the lack of ongoing monitoring of investment transaction. Some people change from one category to the other, they were not identified. Because when people go for inspection, they say, “Oh, you categorized this person is low risk, but we have realized that this person is a PEP.” “Well, we didn’t know because they were not monitoring all that.”
The other biggest challenge you find is that the AML officers, they’re not adequately qualified or knowledgeable enough, because many people think it’s a tick the box. So they’re like, “Who wants to be the money laundering reporting officer?” And the guy says, “Oh, wow, they need somebody who’s different from this.” “Okay, I can do it.” And then they appoint that person from the date of appointment, that’s the end of it. That’s the common finding, and they don’t have… Such people won’t have enough time anyway because they are busy. You find they don’t have time to devote to the AML functions is required by law and by best practice.
There is a lot of different fines that CIMA can levy with the money. They are all under Section 42B of the Monetary Authority Act, which gives you the types of breaches and the fines. Generally, minor breaches are $6,000. They’re about serious. And, you know, as you can see, very serious breaches can be up to $1 million depending on the type of entity. So, yeah, the fines vary by entity, I’m sure you’ve read about so many different entities being fined huge amounts. It’s because they have several breaches which can accumulate into a huge amount.
CIMA Filing Deadlines
These filing deadlines, again, continuing on the examples of each breach type, like minor breaches, generally, the failure to pay some fees under the various acts. And then there’s serious breaches like failure to appoint AML officers, you know, not notifying CIMA of any changes. You change your AML office and people don’t notify them. A common thing on people that do internal, because the person resigns, no one remembers to notify CIMA. That can be a serious breach. And failure to file audited financial statements, which is not exactly an AML thing, but it’s a very serious breach that can lead to, you know, an enforcement.
Generally, the key Cayman reporting deadlines, most of them are January 15th. And a lot of people, like in our company, we are very good at adhering to all these deadlines given in this slide. Well, January 15th is my birthday. So I won’t forget to, you know, submit all the fees for my clients.
What Waystone Can Provide to Financial Services Providers
What Waystone can provide to financial services providers, I will hand over to Josephine Byron, my colleague, and she can walk you through what we can provide for you. Over to you Josephine.
Thank you very much, Fortune, and thank you for your presentation. It was very detailed. And don’t worry, you will receive a copy of the presentation following this call.
So at Waystone, obviously, we’re experienced. Since the inception of the requirement to have the AML officers in place, we’ve put a service in place to appoint natural persons to fulfill the roles of AML officers for Cayman domiciled funds and for management entities under the Securities Investment Business Act. And so, as detailed by Fortune in the presentation, we have a team of professionals who are fit and proper and able to perform the roles, the relevant roles in both the AML Compliance Officer role, the money laundering reporting officer role, and the deputy money laundering reporting officer role.
In that, we ensure that the policies and procedures in place of the fund are adequate, the compliance framework in general that any outsourcing providers are adequate to fit the roles. And in terms of that, we perform due diligence reviews with any of the service providers, in particular, those conducting investor due diligence.
So as I mentioned, we’ve got a team of colleagues across the globe. My colleagues in Singapore, in Hong Kong, as well as Fortune, and my other colleague in Cayman, and myself, and a colleague in Ireland. So we have a team of professionals to provide these services and have around-the-clock availability to answer any questions.
Thanks Fortune and Josephine. That was really helpful. Now, we have received some questions from our audience. Let me pick a few. I don’t think we have time to address the audit questions.
The first one is, what to do after CIMA issues findings, and generally, how much time do the managers have to rectify the issues? What are some typical remediation plans? Fortune?
Yeah. I think I kind of touched on that earlier on. But normally CIMA gives you a bit of lead time in terms of when they’re coming for inspection. Generally, it’s three weeks. But if you need more time, they’re very flexible. You can always reach out and make a plan with them in terms of when you can provide information. When they do their inspection findings, they look at how severe these findings are. They’re very practical people and they understand that, you know, there’s need to implement. But the matters requiring immediate attention, they are severe, they are high priority, they give you a month to three months. And then the other non-high priority items, it can be up to three months or six months, depending on the findings that they have. I hope I answered that question.
Thank you. Thanks, Fortune. We have another question.
For those entities that got picked for CIMA inspections, what are their common characteristic? Are there any particular size, structures, strategies, or does CIMA just pick randomly?
I suppose I can take this, Elaine. It’s not a totally random process. As Fortune illustrated in the presentation earlier, it’s a risk-based approach that CIMA consider and adopt. So, within the inspection unit and the AML division within CIMA, they have risk assessed all of their regulated entities, and the performance of inspections will be conducted on the basis of that risk assessment. And the higher their perceived risk by CIMA, the more likely the chance that an inspection will be conducted.
Okay. I think we have received more questions, but I think we are running out of time soon. We will try to address all the questions individually after the webinar. Thanks, everyone, for joining us today and I hope you all found the webinar useful. We will be circulating a soft copy of this slide, which will include all our contact details. So feel free to reach out to any of us and we are more than happy to have a separate conversation with you all. Hope you all have a good day. Thank you.