Use the Lexology Navigator tool to compare the answers in this article with those from 20+ other jurisdictions.
How would you describe the regulatory policy for fintech products and services in your jurisdiction?
Fintech is a key focus area for the government, which recognises that fintech will disrupt the full range of financial services – including the institutional investor sector, in which the Cayman Islands plays a leading role – and the existing global regulatory regime. The government is therefore seeking to adjust the Cayman Islands’ business, legal and regulatory practices to match the changes that fintech will ultimately produce in order to position the Cayman Islands as a leader in the new marketplace. In line with this, the specific focus is on smart fintech regulation. This approach will allow new technology to be successfully utilised within the financial services industry, including for alternative investment funds. In particular, the Cayman Islands is focused on the development of a certified digital identity platform which can:
- improve business efficiency and quality;
- streamline costs; and
- support effective regulation.
Perhaps in this sector more than others, a detailed understanding of the underlying business is required to navigate the regulatory environment and ensure that a business complies with both existing relevant legislation and evolving regulatory policy. With the sector evolving so rapidly, deep experience in advising fintech businesses is proving to be of paramount importance and this is well-recognised by both service providers and the government.
Have any fintech-specific laws or regulations been enacted in your jurisdiction? Are any envisaged?
While financial services legislation is well established, the Cayman Islands legal framework was recently expanded to enable IP protection. IP rights are now protected to international standards under Cayman Islands law in the same way in which they are in the United Kingdom. The Cayman Legislative Assembly also passed the Data Protection Law. The new framework will help the fintech space to take hold in the Cayman Islands, as the new law is based on a set of EU-style privacy principles and protects the processing of all personal data in the Cayman Islands.
Otherwise, no specific fintech legislation has been introduced, but it may be as such businesses and products evolve. The Cayman Islands' agile legislative system will allow it to adapt appropriately to developments.
Which government authorities regulate the provision of fintech products and services?
The Cayman Islands Monetary Authority (CIMA) is the primary regulator of financial services, including fintech (to the extent that it is regulated). CIMA regulates financial services in accordance with:
- laws and regulations;
- relevant rules;
- guidance and polices developed by the authority; and
- international standards.
To date, CIMA has taken a more risk-based approach rather than being rules driven, recognising that the nature, scale and complexity of businesses affects the amount and type of risk faced. This means that it can readily adapt to fintech’s changing regulatory landscape.
Other government bodies, such as Cayman Finance, also assist with developing related policies. Cayman Finance represents the Cayman Islands’ financial services sector and has been a key advocate for developing the growth of fintech. Over the past 12 months, the body has established a fintech working group to engage with the financial services industry, regulators, the government and the media to promote the development of fintech innovation. Discussions have also commenced concerning a potential legal framework, developed under Cayman Finance and CIMA, which could direct the fintech sector towards the institutional market.
Financial regulatory framework
Which laws and regulations governing the provision of financial services apply to fintech businesses?
The legislation and codes of practice that potentially apply to fintech services are:
- the Banks and Trust Companies Law (Revised);
- the Securities Investment Business Law (Revised);
- the Money Services Law (Revised);
- the Proceeds of Crime Law (Revised) and the Anti-Money Laundering Regulations (Revised);
- the Companies Law (Revised);
- the Cayman Islands automatic exchange of information regime, which implements the international tax information disclosure regimes of the Foreign Account Tax Compliance Act and the Common Reporting Standards; and
- the Mutual Funds Law (Revised).
Under what conditions are fintech businesses subject to licensing requirements? Are there any exemptions?
The extent to which fintech businesses are subject to licensing requirements depends on the nature of the business and the way in which any particular fintech product or service is structured and delivered.
Are any fintech products or services prohibited in your jurisdiction?
Any fintech product or service that falls within the ambit of the existing legislation is prohibited if it does not comply with the applicable regulatory framework.
Data protection and cybersecurity
What rules and regulations govern the processing and transfer (domestic and cross-border) of data relating to fintech products and services?
The Data Protection Law 2017, expected to come into force in January 2019, will introduce a legislative framework on data protection that applies to almost all entities (including investment funds) that are established or process personal data in the Cayman Islands.
The Data Protection Law applies in respect of personal data to any data controller of an entity:
- established in the Cayman Islands, where the personal data is processed in the context of that establishment; or
- not established in the Cayman Islands, where the personal data is processed in the Cayman Islands other than for the purposes of the data’s transit through the Cayman Islands.
The new law highlights a growing expectation from global businesses and their clients and investors that organisations must have in place comprehensive data protection compliance policies that are supported by a framework of data privacy legislation.
What cybersecurity regulations or standards apply to fintech businesses?
Once enacted, the Data Protection Law will provide for a regulatory framework to deal with the privacy of personal data. This framework will include standards that would apply from a cybersecurity perspective.
What anti-fraud, anti-money laundering or other financial crime regulations govern the provision of fintech products and services?
The Proceeds of Crime Law (Revised) and the Anti-Money Laundering Regulations (Revised) issued under the law apply to any fintech business that is a relevant financial business. For example, if a fintech business providing services associated with cryptocurrencies or digital tokens generated and recorded on a blockchain network is a relevant financial business, it will need to determine who its customers or applicants for business are and collect and maintain client identification documentation concerning such parties. Monies contributed to the business will also likely be subject to scrutiny.
What precautions should fintech businesses take to ensure compliance with these provisions?
Fintech businesses are encouraged to discuss their proposals with specialist legal counsel in the Cayman Islands so that the applicable requirements are fully understood and appropriate measures can be implemented to ensure compliance.
What consumer protection laws and regulations apply to the provision of fintech products and services?
CIMA must endeavour to promote and enhance consumer protection and is the appropriate body to which complaints should be made. In addition, any person directly affected by how CIMA has carried out its functions may file a complaint in writing to its managing director.
More generally, the draft Consumer Protection Bill is undergoing consultation in the Cayman Islands. If implemented, this legislation will apply to all Cayman Islands businesses that deal with consumers.
Does the provision of fintech products or services in your jurisdiction raise any particular competition regulatory concerns?
No. The Information and Communications Technology Authority Law (2016 Revision) regulates the telecoms, radio and television industries with respect to anti-competitive practices and is vigilant about ensuring fair competition in these industries.
Are there any particular regulatory issues concerning the cross-border provision of fintech products and services (eg, operating jurisdiction rules and currency controls)?
Forthcoming data protection legislation which has been developed to be consistent with and complementary to EU General Data Protection Regulation standards will regulate cross-border transfers of data and ensure that data processed within the Cayman Islands is subject to the appropriate safeguards. No fintech-specific cross-border rules are contemplated at present.
Click here to view the full article.