The Latest Cayman Islands AML Trends and Industry Best Practices for Investment Funds
Elaine Chow – Director | Waystone
Alpha Tsang, Partner | Assurance | Wealth & Asset Management – EY
Joe Fallon – Managing Director | Investor AML Services – State Street
Jessica Jiang – Associate Director | Compliance Services – Waystone
Vincent Tang – Associate Partner | Regulatory Consulting – EY
Cora Tang, Managing Director | APAC Head of Product for Alternatives – State Street
Elaine: Hi, everyone. Welcome to our joint webinar on the latest Cayman Islands AML trends and industry developments for investment funds. My name is Elaine Chow. I’m a director of Waystone based in Hong Kong. Today, we are very happy to have speakers from State Street, EY, and Waystone joining the panel discussion together to talk about the latest AML landscape and recent regulatory updates in the Cayman Islands. They will also share what we see as the industry best practice for investment funds.
Let’s welcome our panelists. We are so happy to have three AML experts on our web panel today. Joe Fallon from State Street, Jessica Jiang from Waystone, and Vincent Tang from EY. We also have Alpha Tsang from EY to be the moderator, and Cora Tang from State Street who will be doing a brief closing remark for us today.
Now I will pass it on to our panelists to give a quick introduction of themself and their respective role in supporting their clients in the AML process. Perhaps we can start with Joe first and then to Jessica and lastly, Vincent. Over to you, Joe. Thank you.
Joe: Thank you. Hi, everyone. My name is Joe Fallon. I’m the managing director of the AML services team at State Street, and I look forward to talking you through some of the areas of focus for Cayman AML, particularly around the service industry.
Elaine: Thanks. Over to you, Jessica.
Jessica: Hi, this is Jessica, member of our Cayman Compliance Service team. So I have been 10 years in this industry and always in the front line of the compliance, risk management in the financial sectors, covers commercial and investment banks and fund governance firms. Also the Waystone CCS team specialize in AML compliance, consist of AML officers based in Asia, Europe, and the Cayman Islands. We offer service as AML officers, AML audits and the AML training and AML consultancy.
Vincent: Thank you, Elaine. Hi, everyone. This is Vincent Tang from EY Consulting. I’m an associate partners and my team cover and work a lot with our asset manager clients on regulatory compliance. So it’s very happy to be here today to share our observations and sharings on Cayman AML. Thank you.
Elaine: Thank you. Yeah. Now, I will pass it on to Alpha to moderate the panel. Thank you.
Alpha: Thank you, Elaine. And yeah, glad to be here. Partner at EY, focusing on audit of our investment funds and asset manager. Pleasure to have the role to kind of lead the discussion today. As Elaine introduced, we have three great speakers in the room, and AML is definitely a hot topic that we want to spend some time to discuss about. Being a hot topic is also being a big topic, so, to start off with, I guess, we would like to kick off by inviting, first of all, Joe, perhaps to share and recap to everybody about the key components of a typical AML program, and more importantly the respective responsibilities of the funds, of the fund’s operator, as well as the various service provider. Joe?
Key Components of a Typical AML Program
Joe: Thank you, Alpha. So my focus today is to look at the investor level onboarding process from the administrator’s perspective. I’ve broken that out into 5 different areas, and I’m hoping to walk you through over the next 10 or 15 minutes. A summary of really what the administrator’s role is in the AML process. The onboarding process itself, the investor experience and how we manage the challenges and some of the more difficult requests for AML that we see across the investor base. We deal with reliance letter testing, which is a common requirement under the Cayman regulation. Working with our fund MLROs, and then also any other operational focus items that we’ve looked at over the last number of years.
We have a breakdown of our services and what we actually do for the fund as part of our role as the administrator. We contract the fund to our various entities as the administrator, and based on that contracting entity and the funds domicile, we would apply the AML standard. And the basics of that are identifying and verifying the investors, their legal entity type, their requirements, risk assessing those investors in line with our policies and procedures, retaining their documents on our systems and making sure they’re accessible to the fund or their clients on request for audits or other reasons. Screening their investors and also their connected parties, so any beneficial owners or controllers or authorized signers for the funds through our screening program for sanctions and PEPs. Assisting the clients for their own audits, be it a regulatory audit or an internal audit, and assisting them with their on-site reviews of our service, which happen on annual basis. And then we also perform ongoing assessment of the population, so periodic reviews, refreshes of investor cases, and additional testing as well.
So if we just jump into the next slide, which talks to some of the areas of upfront requirements and some of the challenges that we’ve seen.
Investor Level Onboarding – Upfront Requirements and Challenges
The Cayman policy has changed quite dramatically over the last number of years in terms of uplifts of requirements. We, as an administrator, have tried to implement certain aspects in our operation to help with the process and make it as smooth as possible.
Mandatory Completion of Subscription Documentation
One of the main areas we focus on is subscription documentation and the completion of that documentation. Most administrators will have their own AML supplement document that they use and that they suggest is embedded into the subscription document, and we are the same.
So we would always ask the client to embed that subscription document into their subdoc with the AML standards listed out very clearly, the clear legal entity type requirements, beneficial ownership sections, controller sections, upfront PEP declaration if it’s applicable, and making sure that it’s really a mandatory process to have that document filled in all sections. What really slows down the onboarding process is an incomplete subdoc where we have to then go back out to the investor contact or the client contact and request that additional information. And all of those points are somewhat mandatory in the Cayman program, and particularly, around beneficial ownership disclosure of that 10% threshold and any control identification for screening. It really helps us to get that upfront to understand the entity and screen those individuals.
Common Challenges with AML Document Collection
With the Cayman program, other challenges that we deal with around document collection, the main one is certification of documents. Under the Cayman program, there is a requirement for documentation for non-face-to-face relationships to be certified. We’ve looked at ways of, you know, making risk-based decisions around certifications, using online certifications and self-certifications where possible, but for the most part, we are dealing with an individual, their photo identification, passport, driver’s license, or their address documentation. It needs to be certified independently, as do their constitutive documents. And this can be quite a challenge, and certainly during the COVID period, it was quite a challenge to get those outsourced certifications in place, but it is a mandatory requirement and CIMA are very adamant to make sure that documentation is certified as being genuine and authentic.
We have outlined, in this slide, just some acceptable certifiers that we would look to certify the documents independently. In certain circumstances, we’ll allow in-house certification from in-house accountants and solicitors, but for the most part, we’ll look for independent accountant, legal certification on those documents. I mentioned self-certification. We use tools such as LexisNexis or World-Check or online sources to self-certify information in certain circumstances. And if we can verify it as true and correct and the documents are in date and it’s a low-risk investor, we can move forward with some of that self-certification, but definitely, a point that is a challenge for our investor base, particularly our U.S. investor base who would not be as familiar with certification requirements.
Complex Ownership and Control Structures
So moving on to the next slide. Some other challenges, complex ownership and control structures. Depending on the investor type that we deal with, it can be easier or harder to complete the AML file. And again, going back to the subscription document, having that information upfront, identifying your legal entity, making sure all your data points and your requirements are met upfront is critical. But for a lot of entity types such as multilayer private companies, trust entities, collective investment schemes, we see complex ownership structures, and that can be quite a challenge. It all comes down to the communication of the requirement upfront.
We try and outline as many options as possible to obtain the ownership information, be it an organizational chart, be it a letterhead. We want to identify the layers of the ownership structure right up to the ultimate beneficial owner of 10% or more. And again, it can lead to a lot of piecemeal interaction with your investor, a lot of kind of putting together the structure. So it’s best to have a direct conversation with the investor, if possible. Pick up the phone, call them and talk to them about what’s required, because some of these setups can be quite complex, particularly trusts and private companies.
We’ve seen some risk changes as well with regards to the Cayman jurisdiction over the last year. Moving to the gray lists and high-risk status, which has triggered a refresh of a lot of our cases across our EU domicile fund base. We’ve seen the removal of the equivalency rule, whereas, previously, we may have had Cayman funds that were done to a U.S. standard or an Irish standard or another EU jurisdictional standard. It’s been made quite clear now by Cayman regulators that the Cayman standard has to be met, and that’s led to a lot of uplift requirements and refresh requirements, which obviously our investors are not fond of, but it’s a necessary evil and it’s something that we need to do over a period of time. So we need to set in place, and you need to set in place, your refresh procedure, your timeline, and make it very clear of what your goal is in terms of making sure anything is refreshed and up to date.
And some more recent challenges around the Russian sanctions. We’ve seen quite a lot of blocking around the new sanctions lists, ongoing monitoring of those lists, a lot of work directly with our clients and our funds to make sure that, you know, the regulator’s been informed of any true sanctions in investments, that we’re working with the investors in their own roles and the clients to make the next steps possible for those difficult situations.
Reliance Letter Testing
Moving on to point three, this is around reliance letter testing. A circulator was issued in May this year around the expectation from CIMA that there will be reliance letter testing in place, not just for nominee intermediary letters, but third-party letters as well. And really what that means is that where you receive a letter in place of full AML for your investor, you need to be able to evidence to the regulator that you’ve tested that letter, and that’s something that we perform as an administrator on a quarterly basis. We would select samples across our investor base, cover by letters from different introducers. We would reach out to them directly and make sure that we can obtain the pack that they hold, and verify that pack, be it a legal entity or an individual, and make sure that it’s meeting a standard level of AML and that we’re comfortable that they are doing what they’re saying they’re doing in the letter, and they’re holding that, and we’re documenting that test on file. So certainly testing will become a big focus for on-site reviews from clients, but also from the regulator.
Fund MLRO Support and Interaction
Fund MLRO support and client education. We’ve seen, over the last number of years, the Cayman Fund requirements for each fund to have an appointed MLRO, AMLRO and compliance team. A lot of funds are outsourcing this requirement to vendors, and we are working very closely with these groups and appointed MLROs with regards to our service. I think it’s really important to work as a team when you’re dealing with your fund and you’re dealing with your fund MLRO group and build up a strong relationship between the groups, because where you’re acting as a service provider, the ultimate responsibility is with the fund. And we need to make sure as an administrator that we’re working directly with them and that we’re all on the same page in terms of our policies, our standards, our requirements, where we’re pushing back, where we’re making exceptions. All of that needs to be a very much a joined-up effort between the groups.
So what we will usually do is we’ll have regular meetings with the groups and discussions. We’ll debate scenarios. We’ll involve MLROs of the fund and any exceptions or allowances that we make dependent on risk. We’ll work with them on any routine audits that they have on our process or on sample files that they look at. And as I said, it’s a combined effort. Now, wherever we have pushback from an investor, we feel there’s going to be a risk of a client issue or investor issue, we’ll immediately bring in the MLRO to support our view, make sure we’re all in agreement, and then we’re in a much stronger position to push for what we need, when we need it. So that will be my advice, is to, you know, work together very closely, set up regular meetings and discussions, review your population and make sure you’re on the same page and helping each other to get what you need. And it makes it a much easier process overall.
Important Operational Focus
Then finally, other important focus areas that we have, and this is general across the administrator, quality communication. You’re always gonna get what you need once your communication is very clear and concise and detailed. And you’re backing up your requirements with legislative wording, you’re giving a lot of options around documentation to complete that documentation, and you’re looking at efficiencies around document sharing across existing relationships. We find that, you know, those areas in particular are the ones that are going to speed up the onboarding process, make it as easy as possible for the investors to onboard, and we put a lot of focus on that as a team. I’d like to thank you for listening to me today on the areas of coverage and I’ll hand back over to Alpha. Thank you.
Alpha: Thank you, Joe. Thank you. Thank you for the great, great reminder, as well as refresh of the different components of what we expect to see in the AML program, especially also, taking into account the recent hot topic like different Russian sanctions, etc., EU kind of risk rating, upgrade, downgrade, etc., and the implications as well. So, very informative. Thank you. I think linking onto that, I guess what we also want to touch on is more about kind of how, how our key regulators, CIMA, Cayman Islands is viewing the landscape, and what are the recent regulatory updates. So with that, we have Jessica from Waystone. Passing on the time to Jessica.
Cayman Regulatory Updates
Jessica: Yep. Thanks, alpha. Thanks, Joe. So this is Jessica, member of our Cayman Compliance Services team. So 10 years in the industry, I have been in the front line of the compliance risk management in the financial sector, covers commercial and investment banks and fund governance firms. So our team, the Waystone CCS teams specialize in AML compliance, consist of AML compliance offices based in Asia, Europe, and the Cayman Islands. We offer service as AML officers, AML audit, AML training, and AML consultancy. So our AML officers have been working with CIMA directly and a large number of funds and SIBA registered persons, and the clients have been able to benefit from the process since we are able to pass on the information onwards.
So, taking opportunity of this webinar, I will share some of the observations on the latest AML landscape in the Cayman Islands, with a special focus on financial sanctions and further about the latest regulatory updates.
The AML Landscape in the Cayman
So yes, about the AML landscape in the Cayman Islands, I single out three key talking points. One is although it’s treated as offshore ones and some people might have the delusion that AML compliance is kind of loose here, but actually, it’s not. It’s very well developed legal and institutional framework. And the Cayman Islands also, after taking the inspections, and will start to conduct a lot of efforts to enhance its current AML/CFT supervisory functions. So in practice, we can see one, there will be more and more inspection projects going on. Recently, what we can see is a lot of SIBA RPs has been selected and going forward, we can see there’ll be more being selected and more funds will be involved.
So second is we can see SIBA is now ready to levy some administrative penalties and imposing other fines and enforcement actions, especially when the inspection projects has been going on and the remediation actions has been agreed upon, but CIMA conducts a repeated inspection and see that the remediation has not been properly implemented. So we’re here just to remind everyone, if you got invitation from the CIMA that you will be inspected, please make sure to contact your legal counsel and also, like, cooperate with all the parties involved to have a fully cooperation with CIMA and all the remediation actions should be taken upon very seriously, and make sure all the gaps has been concluded. Next page, please.
Yeah. And what is the key focus for the regulator recently? As from the CIMA’s, the newsletter, we can see the most important focus is the targeted financial sanctions. So recently, we can see that if you hold any kind of board meetings and so on with a fund of SIBAs, the number one question that actually will be asked is whether the sanctions screening has been conducted according to the AMLR [SP]. So according to the AMLR, you should be conducting all the rates rating and screening the part and so on to make sure all the investors you have is not subject with the sanction…not within the sanction list. If it is within, what environment should be conducted, is also…this should be taken very, very seriously. It’s even included in the virtual asset service providers.
So what abstraction is, also, you can see from later part that is one of the inspections findings. What our suggestion is if the current entities don’t have any kind of money laundering in the sanctions screening. So the SIBAs cannot count on only the underlying funds screening environment, if you don’t have directly involved in the fund, for example, like, the World-Check One software and so on, you can further, like, contact with the fund administrator to gather screenshots and so on where they has been doing this, like, sanctions screening, that you need to retain all the records. Like, it’s within the industry that whatever not in the record, it didn’t happen.
So about the sanctions screening, our suggestion is first, you should introduce the sanction screening matters. If you don’t have it by yourself, you should involve a third party, but you should retain all the records to make sure that it’s fully compliant with the CIMA’s regulation AMLR. Yep. Next page please.
Q3 and Q4 Regulatory Updates
Yeah. And last is, like, this is our observation on the most recent regulatory updates in the Q2 and Q3. So basically, we’ll cover more in the part one is the CIMA’s findings and also in the testing on the third party CDD, and also the sanction part. So we’ll go to details later. Next page, please.
Yeah. About the on-site inspections, so the notable deficiencies were found related to the last part under, which will be further detailed by the EY later. So the highlighted part is one, the most focus will be the policy and procedures and the implementation of the policy and procedures, and all has to be in the records. So the most notable find is one, the customer CDD, whether you have, like, all the records, all the things has been translated and will be provided to CIMA on time, as requested. And also the employee training awareness program, whether all your and all your compliant officers has been through all the programs and whether it’s in record. And further, you should have a plan for the next year and so on, the AML training plan and make sure that it’s conducted at least annually.
Management for Outsourced Compliance Functions
So the next part is, like, really common finding is, like, your management for your outsourced AML compliance functions, whether you have enough due diligence and whether it’s enough oversight on that. You should also record, you know, all the efforts. Yeah. And after that one is most important part is whether you have independence and segregation of duties on all your functions, which will be further detailed by EY later.
Review Sanctions Compliance in TCSP
Yep. And the next part is the review about the sanctions compliance in TCSP. It’s actually not only for the TCSP, as can be seen, all the parts later, it’s kind of applied for other type of business as well. So the part is, like, whether they have screening performed to all the clients and also all their beneficial ownership. And whether it has already is confirmed on the onboarding part and all the subsequent trigger events, whether it has documented files in everything, because if you have done the screening, and it’s not in your records, it means it didn’t happen.
Ongoing Compliance Monitoring & Periodic Review
And the third part, which is really important, ongoing monitoring and periodic review. You should have written records on your periodic review. And the next part is periodic review, whether it is, you know, timely manner. It means if you have…this also should be risk-based. If you have this client as a high risk, maybe this should be done more often at the…where you can see most of the fund administrators, they have conducted this on, you know, like, daily basis and SIBAs, they do it at least on a regular basis, like, monthly and so on. So it’s related to risk-based approach. Yep. And all the parts should be documented.
Yep. And this is the good news. Since July 7th, 2022, this year, the Ministry of Financial Services has issued a media release informing the industry that from July, it doesn’t require any additional AML/CFT measurements to be adopted to remove Cayman from the EU’s AML/CFT list. And which is the two falling into action plan should be the only ones that outstanding. And knowing that well, we should be saying that the good part is starting that…noting that it’s [inaudible 00:25:00] that Cayman will be removed as the penalty in October of this year, and the EU will not require any additional measurements to the Cayman-based business.
Testing of Third-Party CDD
Yep. Next page, I think is already shared by the State Street that the testing of the third-party CDD is also required within the Cayman Islands. It’s also greatly related to the sanctions compliance. So as of 19th of May, 2022, CIMA released a supervisory circular relating to the requirement to test the simplified due diligence. And the most important part is, one, the testing should be done and the testing should be done on a random and periodic basis to ensure that the identification, the verification information is produced by EI upon demand and without due delay.
We have worked with a lot of fund administrators and it’s turned out they are doing it fine, but a lot of SIBA or counter of U.S. managers register within Cayman that they actually not focus on this part with further is, like, from now on, you should put the focus on that and all the EI arrangement should be tested regularly. And when this has been tested, again, cannot emphasize this more, that record should require to be kept, irrespective of such testing.
Yep. And further, we recommend that during annual board meeting and so on, it can be checked whether the nominee arrangement and so on, the sanction screening has been tested or has been tested the arrangement, whether there’s, like, underlying investors subject to any sanction list and so on. So yeah, this should be… Well, this measurements can be combined going forward.
And this part is, again, about sanction management. So Cayman Task Force on Russia Sanctions has been activated. As you can see, a lot will measure financial, like, has been involved with this part. This further reminds you that all the should be put a lot of focus on the sanctions. As you can see during this, like, regulatory updates part, we actually have three slides on the sanction part. So that’s a good reminder that sanction compliance should be the next focus, or, like, going forward, should always be the focus. Yeah.
So it’s also noted that there have been, like, the management of asset freezes has been imposed, like, in a lot of organizations and so on. So when you screen any account of U.S. subject to the true in sanctions screening, all your AML offices should be involved, and maybe the equal council. So we should file the regulatory updates with the FRA, and yeah, all the process environment should be in your policy and procedure. I think that’s all from us. I will pass it to Alpha.
Alpha: Thank you. Thank you, Jessica. Thank you, Jessica. So as I just pick up from Jessica, there are more and more regulator focus in the area of AML. And we also often hear from our clients, from other regulators about the need to have strong three lines of defense about different risk management as well as internal control process. So with that, I want to invite my colleague, Vincent, from our advisory team to share with us kind of how the three line of defense concept apply to a typical AML program and to highlight some of the key takeaways from other on-site inspection. Vincent.
Applying the Three Lines of Defense to AML
Vincent: Thank you, Alpha. Hi, everyone. An honor here to share a little bit about the three line of defense and also some key takeaways from the on-site inspection. Please, can you turn onto the next page? Okay. So we have Joe and also Jessica to share about, you know, about the investor AML services and also some observations and also regulatory update. But before we proceed further on, you know, particularly what is the expectation and also what would be a third line doing in an AML program? I want to take the time to actually share a little bit more about an effective AML compliance program.
Effective AML Compliance Programs
So Joe actually talked a lot about the focuses on KYCs and other investor related service, which are a critical part of the BAU in the AML functions. Now, which are aligned here in the middle. For example, risk rating, customer identification, customer due diligence, and, of course, for higher risk clients, enhanced due diligence, and on an ongoing basis, transaction monitoring, SCLs, and also reporting and escalation. Now, on top of the BAU, the business as usual, the day-to-day, on the KYC and also on ongoing monitoring, there are another aspects from the second line, the MLROs and the compliance officer is also a key pillars in an effective AML program, which Joe also mentioned and shared about, you know, how he worked together with the MLROs.
Now, on top of that, which are, you know, the key pillars of an effective day-to-day AML program, there is a last pillar to this, which are the bottom one, the independent review, independent functions of, you know, looking at the entire program and framework. Typically these are done by the third line of defense, the internal auditors, internal audit functions or any function that is independent, not involved in the day-to-day of the AML program. Okay?
So I think these is some of the key differentiations between first, second, and third. And a lot of our clients actually said that if, let’s say I have outsourced it, some of these functions to a third party, would that be that they can be lined and treated as a third line, right? So I guess this is all linked back to very key questions, whether there are segregations of duties, whether this party that is outsourced actually involved it in the line one and line two. If the answer is no, this party can definitely serve as a third line, you know, carrying out internal audit or review of the program. Okay?
So can we move on to the next slide, please? So let’s talk a little bit about this audit or internal audit requirement, right? So, you know, why do we do we need to do this? So this is actually stipulated in the AMLRs saying that there should be an appropriate, effective, risk-based, independent audit function to test the AML system policy and procedures. So, yes, this is something that is a must and need to be done on a regular basis. Next.
So who are the one that can be doing this, you know, AML independent audit or review on the AML functions? So as we have briefly talked about, anyone can do that except for those that are doing the day-to-day, right? So it has to be independent and also, the person doing it shouldn’t have any management role or involved in the business or in included in the investment activities as well. Okay? And again, the person who is doing this should also be accredited as well. So it shouldn’t be anyone, but except for, you know, accredited personnel who have the knowledge and experience in AMLs regulations from CIMA. Okay. So next slide.
So now I know that, you know, this is a must, we need to do it on a regular basis and it has to be done by an accredited person that is independent from the day-to-day, so what is the frequency? When should we doing this audit, right? Is there any explicit stipulated timelines, AML hours mentioned? So this is, again, on the risk-based approach, which makes sense because for large scale, very complex financial institutions or managers, an annual review may not be sufficient because of the change and the scale, but for, you know, a more boutique or more smaller scales client, a you know, multiple years review makes sense. So this is all linked back to a risk-based approach, which is based on the scales, complexities, you know, the client base and all that as a basis in terms of the frequency.
So even before you start to do a review, you need to actually do an assessment, an initial assessment of your funds, of the fund managers so that you know what sort of AML risk associated with the organization, the entities and the funds. And based on that, appropriate assessment can be made to determine the time and the frequency of an AML audit or review. Okay?
And next. So now we talk about the why we need to do it, who are gonna do it, and when we are gonna do it. The next one is what. So what exactly we are looking at when we’re doing an audit, an AML audit or review, right? So particularly, we definitely look at the policy and procedures to make sure that it complies with the latest AML laws, requirements and also other guidelines. But more importantly, in addition to the policy and procedures design, we also need to look at the operating effectiveness, meaning that during the review, we need to look back in terms of examples of after a set period of time, making sure that the underlying controls are in place. And that’s, you know, in the sample testing, there is no exceptions noted. So there is also the elements of sample testings and reviews, look-back review as well. Okay?
Now that we understand about, you know, typically what the third line is doing and also from a time and also from a qualification perspective, let’s move on to another topic. Let’s talk a little bit more on the AML on-site inspections by CIMA. So these are common findings that we observe from various, you know, communications that is issued from CIMA. So all in all, there are a couple of common themes among all these different inspections findings, right?
So number one there definitely can be improve further regarding about documentation. A lot of the time, our clients actually have policy in place and actually, controls are in place, however, there are you know, not sufficient documentations or audit trail to support such control in place. So definitely, an improvement in terms of documentation is a key theme. So number one, on the AML policy and procedures, definitely, you know, making sure that there are sufficient documentation and also, timely updated to respond to the changes in the legislation and regulations.
Two and three, customer due diligence and periodic customer’s files. So I think that also echo to Joe’s point earlier where, you know, because of, you know, the change, and also the of the different jurisdictions, definitely uplift is required, and as a result, you know, more frequent refresh may be necessary. So findings relating to CDDs and also KYC refresh is always relating to making sure that the information is up to date and also retaining those supporting informations when doing the KYCs or the KYC refresh, particularly, on higher risk customers.
Now, the next one is relating to risk assessments. So a lot of the time, risk-assessment should be the starting point. Initial risk assessment should be the starting point when carrying out, you know, let’s say a KYC reviews or an assessment of the entity itself. So a lot of time, there is observations that such assessment is not in place, and also sometimes even when it is conducted, it is not properly reviewed or approved.
On the CRA, again, it’s on the documentation where a risk-based approach is not adopted, or sometimes even though a risk-based approach is adopted and the risk categories is assigned to our customers, the underlying rationales is not very clear. So this is another area relating to CRA as well. So next slide.
Okay. So the next one is about outsourcing. So as we all know, in our asset management space, different activities could be outsourced. For some of our clients, they outsource some of the AML services to a third party. Most of the client would definitely carry out due diligence on the third party at the business acceptance. However, there is not so much emphasis on ongoing monitoring or periodic reviews of these service provider. So this is another common findings that are observed.
And then move on to employee trainings or training records. So most of the time, there are training service provider, however, again, it’s not a training itself, but it’s the documentation of such trainings or, you know, explicit requirements relating to the timing and also the completions of these training records that could be enhanced.
The number eight is relating to the segregation of duties. So this is echoed back to the point that I previously share. So a lot of the time, you know, we have the MLROs carrying out compliance programs. We have different service providers carrying out different duties among the AML framework. We need to make sure that, you know, if the one who is doing the BAUs, those are not, you know, also executing independent AML audit as these are, you know, these two should not be mingled together.
And then number nine is we talk about the independence of AML function, and then the last one is more broadly observation relating to corporate governance, not specifically on AML, but more broadly, you know, there should be robust, you know, supervision and escalations on different topics, especially on the compliance side. Okay? So these are key observations within the AML on-site inspection.
Can we move on to the next slide, which we quickly talk about some of the key regulatory fines in the past two years. So I guess in the past, as Joe and also Jessica, share, there are quite a lot of changes from CIMA’s requirements on AML funds and actually, we can see that the enforcements is really picking up the heat. And as we can see in our slides here, we do have different fines from different sort of financial institutions, right? Being, you know, number one and I’m sure quite a lot of people have heard that a large group of trust companies actually being fined a big fine actually for repeated non-compliances, and also to remediate these breaches, right? And, you know, that’s relating to, for example, again, the CDD processes, or source of funds, source of wealth, and also on ongoing monitorings, right? And then move to the next one on broker-dealers, right? Again, focusing you know, not enough emphasis on the CDD measures and also applying risk-based approach to different clients and all that. Next slide.
So these two are actually happening this year and other broker-dealers, in early February, also being fined for failure to comply with, again, on the client due diligence, enhanced due measures and also carry out proper, you know, risk assessment. So these are, you know, again, key emphasis and, again, common themes that we observe on the client due diligence, client risk assessment front. And last case, which is happening in May, again, more on the IDMB on identification of UBO, and also again on the EDD measures as well.
So I guess, you know, as you can see, CIMA is definitely, you know, putting a lot of emphasis on AML and they are definitely making, you know, enforcements case for those that are non-compliant. So definitely, you know, be mindful about, you know, all these key requirements and also the observations, making sure that you have complied with, you know, the requirement. Okay. So that’s it for my sharing now. I’ll pass it to you, Alpha.
Alpha: Thank you. Thank you. I guess my takeaway from the three presenters is that even though Cayman seems like halfway across the globe and we are not sure if they will really come after us in Hong Kong for any potential regulatory breach, but I guess the risk is real and that we need to be mindful of all the requirements as well as the potential area of weakness that we may sometimes overlook. So, excellent. To wrap up, I guess, we hear quite comprehensive updates and refresh of the various trends, expectation from regulators that has potential risk in the AML program. So to wrap up, I guess, every one of our speaker, during the year, I’m sure we have been talking to many clients about similar topics. If you may wrap up by kind of sharing some of the practical difficulties they’re having as far as some kind of final closing comments or advice to our clients, that would be great. Maybe we can go back to Joe first, and then Jessica, and then finally, Vincent. Thank you.
Final Thoughts & Advice to Clients
Joe: Okay. Thanks, Alpha. Yeah, I think from the administrator’s perspective, we’re so focused on service. So for me, a key element is the relationship that you have with your client’s compliance team and their MLRO and that you’re working together on the requirements. There’s a lot of interpretation in policy, a lot of interpretation in the Cayman policy in particular, and you both need to work together to make sure you’re aligned in exactly what you’re looking for to make sure it’s a risk-based approach, the correct risk-based approach has been taken. I think other areas, looking at your controls, looking at your systems, your checklist requirements and making sure you’re enhancing the wording around those to capture all the various areas is important. Training is extremely important. And as I talked about in my presentation, the upfront element of what we need, making it very clear from the start of the process of what you’re gonna require [inaudible 00:46:21] type of risk, they’re the main areas I think we should focus on.
Alpha: Thank you, Joe. Jessica?
Jessica: So from other perspective that special focus should be put on the inspection part. So if you got notification from CIMA that you are going to have a inspection, please coordinate with your AML officers, your AML delegation, and your legal counsels, and try to fully prepared before the inspection will be started. And also make sure everything is in recording, and everything written, and everything should be in English language. And when the CIMA inspection is started, you should know the procedure and so on, and be fully cooperated and put a lot of focus on remediation and make sure that remediation will be adopted and implemented because we cannot say that we will be not second time inspection. So treat it very seriously.
Alpha: Thank you. And Vincent, finally.
Vincent: Thank you, Alpha. So from a third line of defense perspective, as we have shared previously on some of the common themes and findings from the on-site inspection, I think it’s very important to make sure there are proper documentation in place. Definitely, there are sometimes a challenge as to retain some of these documentation, but there is a saying in audit and in review, if you are not documented, it’s not done. So having those documentation in place, the audits are in place will definitely help, on inspections as Jessica has shared, right? And I guess, you know, looking back to Jessica’s point, when there are also inspection, making sure that all the documentation is ready for inspection would be a good way to demonstrate cooperation, and also if there are potential observations, findings, making sure that you have remediation action in place to address these going forward. Definitely key as well.
Alpha: Thank you. Thanks. Thanks all for the reminder. Thank you, Joe, Jessica, and Vincent, I guess this is the panel discussion. Hoping to pass the time to Cora to bring us to the end. Thank you.
Cora: Thank you, Alpha. I think we have heard a lot from the three parties on Cayman AML, how can we do better? I’m sure that every one of you would know that this is an important, it’s always an important topic that we want to ignore, but can never ignore. So going forward, hope that you all be able to handle all this AML matter, even if the regulator come to find you, you are ready. Thank you.