Introduction
What should a Regulated Entity do if it receives notice that it is going to be subject to an on-site inspection?
Can a Regulated Entity brief its personnel ahead of an on-site inspection?
Is there anything a Regulated Entity should not do if it receives notice that it is going to be subject to an inspection?
What happens, and is there anything a Regulated Entity should do, once the CIMA has completed an inspection?
What happens if the CIMA finds that a Regulated Entity has failed to meet one or more of its regulatory obligations?
Is there anything that a Regulated Entity can do to prepare for a CIMA inspection?
Comment
This article discusses how to best to prepare for, manage and respond to an on-site inspection made by the Cayman Islands Monetary Authority (CIMA). It also addresses some frequently asked questions for regulated entities in relation to such inspections.
The CIMA has powers under the Monetary Authority Act (MAA) and certain other regulatory laws of the Cayman Islands to conduct on-site inspections of licensees, such as administrators, banks and trust companies, and other regulated entities, such as registered persons under the Securities Investment Business Act in the Cayman Islands (together, Regulated Entities). For the avoidance of doubt, the scope of this article does not extend to regulated investment funds.
On-site inspections are routinely conducted by the CIMA's dedicated on-site inspections unit in order to:
- understand the business activities and operating environment of Regulated Entities;
- detect problems of compliance (and any non-compliance) with applicable legislation and/or regulations; and
- gather information on any matters that may require policy considerations.
On-site inspections may involve supervisory visits to Regulated Entities' places of business both in the Cayman Islands and overseas, and they can be either "full-scope", involving a review of all areas of a Regulated Entity's operations, or limited to specific areas of a Regulated Entity's operations, such as the adequacy of the measures put in place by a Regulated Entity with regard to anti-money laundering (AML), combatting terrorist financing (CTF) and countering proliferation finance (CPF), as well as its internal control systems, policies and procedures.
The remainder of this article answers FAQs in relation to CIMA on-site inspections.
What should a Regulated Entity do if it receives notice that it is going to be subject to an on-site inspection?
In the first instance, a Regulated Entity should take steps to clarify:
- precisely when the inspection will take place and what timeframe the CIMA has allotted for the inspection; and
- what the scope and parameters of the inspection will be – ie, will the on-site inspection be a full-scope review or limited to a specific area of the subject Regulated Entity's operations, such as AML compliance.
More specifically, a Regulated Entity subject to on-site inspection should confirm:
- the way in which the inspection will occur, including whether it will be a desktop inspection (ie, a remote review of a Regulated Entity's policies and procedures to be provided to the CIMA electronically), a physical inspection conducted by way of a site visit or a combination of the two;
- whether the CIMA proposes to interview any personnel and, if so, precisely which people should be made available; and
- any deadlines attached to any specific information and/or documentation requests that will be made by the CIMA during the on-site inspection process.
More generally, it can be said that Regulated Entities should be as cooperative with the CIMA as is practicable during an on-site inspection – not least because a Regulated Entity's lack of cooperation during an inspection will be taken seriously by the CIMA and will be an exacerbating factor should it identify any non-compliance with applicable laws and/or regulations. Ultimately, a Regulated Entity's level of cooperation may be a relevant factor in the CIMA's determination as to whether to take any enforcement action and, if so, the form and extent of such enforcement action.
In this respect, a Regulated Entity subject to on-site inspection should establish and circulate to all personnel a clear document management procedure to ensure that:
- no documentation is destroyed, damaged or concealed;
- any documentation or other material that is confidential and/or legally privileged is identified and handled appropriately; and
- copies of any documentation requested by the CIMA are reviewed and, if appropriate, provided by a suitable external point of contact or team.
Discussions with the CIMA are generally encouraged at the outset to discuss how the CIMA would prefer to receive requested information and uploads, which will permit the implementation of a protocol for recording and tracking the transfer of such information. Such a protocol should take into account the precise extent and scope of any document requests, and it should make provision for the CIMA's preferred method of upload, such as secure electronic file transfer.
The above disclosure procedure should also cover, and provide for recording and tracking of, all communications with the CIMA (together with the date and time of any such communications) throughout the on-site inspection process, including all:
- in-person and/or telephone conversations with the CIMA;
- emails sent to, and received from, the CIMA; and
- other written correspondence with the CIMA.
Can a Regulated Entity brief its personnel ahead of an on-site inspection?
Senior management and personnel in all relevant functions should be briefed as to how the CIMA will conduct the inspection once the scope and parameters of an on-site inspection have been confirmed; this should occur in advance of the on-site inspection itself.
An internal meeting of all relevant personnel, for example, is often a helpful way of prompting the raising and exploring of any potential concerns with management, and may assist a Regulated Entity's management and/or compliance function in identifying any issues that may need to be raised with external counsel and/or the CIMA either ahead of or during an on-site inspection.
Subject to the CIMA's preferences, the nomination of a single point of contact for a subject Regulated Entity, through whom all communications with the CIMA should be conducted, is advisable. This often improves the efficiency of communications with the CIMA during an inspection process, and, importantly, it allows a Regulated Entity to more easily manage its exchange of information with the CIMA and to avoid the provision of any inconsistent or inaccurate information. Wherever a single point of contact is designated by a Regulated Entity for the purposes of an on-site-inspection, it is important that the CIMA is made aware of this person and notified as to how it should contact them.
Is there anything a Regulated Entity should not do if it receives notice that it is going to be subject to an inspection?
It is important to remember that the CIMA has broad powers under the MAA and other regulatory laws of the Cayman Islands to require Regulated Entities to provide such information and/or documentation as the CIMA may reasonably require in connection with the exercise of its regulatory functions (including, where appropriate, the conduct of an on-site inspection). It should also be noted that a person who, without reasonable cause, fails to comply with such a requirement, or wilfully obstructs a CIMA inquiry made in accordance with the CIMA's powers, commits an offence and may be liable to financial penalties (including, potentially, administrative fines levied by the CIMA under the Monetary Authority (Administrative Fines) Regulations of the Cayman Islands (Administrative Fines Regulations)).
Any attempt by a Regulated Entity, or any of its personnel, to obstruct, impede or delay a CIMA on-site inspection process may attract (or amplify any already present) enforcement risk; it is essential that a Regulated Entity subject to an on-site inspection process takes no steps or actions that could be deemed to be obstructive or otherwise evasive. A Regulated Entity must not, for example, destroy, damage or conceal any documentation requested by the CIMA during an on-site inspection. In particular, heavily redacted copies of requested documentation are unlikely to be well received, and, accordingly, any such redaction should be carefully considered (with specific legal advice taken in this respect) and a thorough explanation for any such redaction should be provided to the CIMA alongside the relevant redacted documentation.
What happens, and is there anything a Regulated Entity should do, once the CIMA has completed an inspection?
The CIMA will typically hold a form of "closing meeting" at the end of an on-site inspection in order to highlight any immediate issues or concerns arising out of the CIMA's findings with the subject Regulated Entity. This meeting is designed to provide the subject Regulated Entity with an opportunity to respond to the CIMA verbally and to clarify any issues pertaining to any preliminary findings arising out of the inspection. A Regulated Entity should make and keep a comprehensive note of this meeting, including a detailed record of any initial findings, and any related commentary, communicated by the CIMA at this stage. The CIMA has made it clear that the closing meeting is intended to provide management teams at subject Regulated Entities with an opportunity to explain and discuss any potential findings. Accordingly, management teams at subject Regulated Entities should seek to use the closing meeting to get a clear and detailed understanding of all potential findings. The CIMA has also indicated that the closing meeting may be an appropriate environment for management teams to raise with the inspection team any matters in respect of which it appears there is a divergence between the CIMA and the Regulated Entity's analysis or understanding of a given matter. For this reason, it is generally recommended that a subject Regulated Entity take legal advice regarding any such anticipated areas of divergence in advance of its closing meeting with the CIMA.
Thereafter, the CIMA will prepare a draft inspection report and share this with the subject Regulated Entity. This is an important stage in the CIMA's on-site inspection process and an opportunity for a Regulated Entity to respond to and comment on the CIMA's draft findings as may be required. It also represents a chance for a Regulated Entity to provide further information, if helpful, to the CIMA in order to clarify the CIMA's findings and/or, if appropriate, satisfy the CIMA as to the Regulated Entity's compliance in respect of any relevant findings. The CIMA will prescribe a response deadline; it will be important for a Regulated Entity to begin preparing its written response (which may require legal input) as soon as possible. Where legal counsel has not been involved during an on-site inspection itself, this is the stage in the inspection process at which a subject Regulated Entity should carefully consider engaging legal counsel to advise and, in particular, to assist with the preparation and submission of a written response to the CIMA.
What happens if the CIMA finds that a Regulated Entity has failed to meet one or more of its regulatory obligations?
For Regulated Entities, the financial, commercial and reputational risks involved in failing to demonstrate full compliance with their regulatory obligations in the Cayman Islands are significant.
Where the CIMA determines, through an on-site inspection, that a Regulated Entity has failed to meet its regulatory obligations, the CIMA may, among other things:
- require such Regulated Entity to take steps to remediate any failures within prescribed time frames;
- suspend, impose conditions upon or even revoke, a Regulated Entity's licence, registration or authorisation to operate in the Cayman Islands; and/or
- initiate the applicable process to impose financial penalties (including, in the case of any breach prescribed as "very serious" under the Administrative Fines Regulations, a fine of up to $1,219,512 per breach).(1)
The CIMA also routinely publishes details of any disciplinary action taken against Regulated Entities, and so it is important that all Regulated Entities are adequately prepared to manage and respond to an on-site inspection.
Is there anything that a Regulated Entity can do to prepare for a CIMA inspection?
A Regulated Entity is well advised not to await an inspection notice from the CIMA before beginning to prepare for an on-site inspection and, if appropriate, engaging external counsel to assist with this.
Compliance and risk assessment "health checks" can be carried out in advance to test systems, controls, policies and procedures in order to identify any issues or areas for improvement ahead of any inspection. Ongoing monitoring and assessment are key requirements of the Cayman Islands AML/CFT/CPF regime, and so, depending on the size and complexity of its business, a Regulated Entity would benefit from engaging an independent service provider to conduct a full compliance audit, which would evidence it taking its ongoing review obligations seriously.
It is important to note that Regulated Entities will be expected by the CIMA to ensure that their systems, controls, policies and procedures are current, in line with all applicable laws and regulations, and account for and reflect any updates, amendments or changes in this respect.
It is also important to note that the CIMA will generally not credit a subject Regulated Entity, either during an on-site inspection process or in any inspection report generated therefrom, for policies or procedures (or any updates made to such policies or procedures) that are put in place (ie, formally approved and implemented by such Regulated Entity) after such Regulated Entity has received an inspection notice from the CIMA. While there may be merit in a Regulated Entity taking steps, if required, to implement and/or update any relevant policies and procedures after receiving an inspection notice from the CIMA (and representing, to the extent appropriate, that it has taken pre-emptive remedial action in this respect ahead of its on-site inspection), Regulated Entities would be well advised to regularly review (or engage Cayman Islands counsel to review) their relevant compliance policies and procedures, generally annually, in order to ensure that they are kept in line with all applicable laws and regulatory requirements.
Where any compliance deficiencies are identified through a scheduled audit or review, or otherwise, it is essential that these are brought to management's attention immediately, appropriate remediation is authorised and implemented as soon as is practicable, and a comprehensive record of all remedial action taken is kept. Where management has been alerted to compliance issues and not taken immediate action to remediate them, this will be taken into account by the CIMA in any on-site inspection report and related enforcement action.
On-site inspections are one of the key ways in which the CIMA discharges its compliance monitoring function under the MAA, and regulatory inspections such as these are becoming increasingly common practice in the Cayman Islands.
Being subject to an on-site inspection can, however, create significant workflow for a Regulated Entity, including the preparation and submission of detailed responses, which must be carefully delivered to the CIMA in line with prescribed, and sometimes demanding, deadlines.
Any Regulated Entity that is subject to a CIMA on-site inspection should consider engaging external counsel to assist with its preparation and the inspection process as early in the process as is practicable.
Regulated Entities should not wait until they are put on notice of a CIMA on-site inspection before beginning to prepare for one. There are a number of steps that a Regulated Entity can take in order to prepare for an inspection ahead of time, and which may enhance and strengthen its compliance controls, systems and procedures generally.
For further information on this topic please contact Martin Byers, Joanne Huckle, Dave Sherwin or Christopher Levers at Ogier by telephone (+1 345 949 9876) or email ([email protected], [email protected], [email protected] or [email protected]). The Ogier website can be accessed at www.ogier.com.
Endnotes
(1) Administrative fines are levied in Cayman Islands dollars. The figures quoted are in US dollars at an exchange rate of $1.00=CI$0.82, rounded up to the nearest US dollar.