Cayman continues to hold a leading position amongst global financial centres with the announcement of recent upgrades to the Money Laundering Regulations (2008 Revision) (“Regulations”) and the Cayman Islands Monetary Authority’s (“CIMA”) Guidance Notes on the Prevention and Detection of Money Laundering (“Guidance Notes”). These changes have been implemented from a recent set of recommendations by the Caribbean Financial Action Task Force
The Regulations and the Guidance Notes apply to persons carrying on “relevant financial business” in or from the Cayman Islands. Essentially, “relevant financial business” means (a) a business carried on by a person who is required to be licensed or registered with CIMA or (b) a business engaging in any of the activities listed in the Second Schedule to the Regulations. This update considers the impact of the changes on affected financial service providers.
- Compliance Officer
In addition to the requirement to appoint a Money Laundering Reporting Officer (“MLRO”), the Regulations now require someone at management level, to be designated a Compliance Officer (“CO”) who is responsible for monitoring and ensuring internal compliance with the laws relating to money laundering. Under the revised Guidance Notes, the CO is specifically responsible for:
- the development of internal policies, procedures and control, including an appropriate compliance management arrangement, and adequate screening of employees;
- an appropriate employee training programme; and
- an audit function to test the system.
The MLRO and the CO may be the same person. In respect of both positions, the relevant officer must:
- have appropriate experience and skill;
- report directly to, and have regular contact with the Board (or equivalent);
- have sufficient seniority and authority so that the Board reacts to and acts upon any recommendations made;
- have sufficient resources; including a deputy CO; and
- have unfettered access to data and business personnel to appropriately perform the function.
Can the new CO function be delegated?
Historically, regulated investment funds have relied on a provision in Section 8 of the Guidance Notes that allows for de facto delegation of the MLRO reporting function to a Cayman or Schedule 3 service provider (usually the fund’s administrator). We anticipate that CIMA will approve a similar course for the CO function. However, until such time as CIMA issues further policy or guidance, administration agreements should expressly delegate the CO function to the third party although they need not specifically name the CO.
Following the amendments, the Regulations now impose more stringent requirements under which a financial service provider (“FSP”) may accept an eligible introduction (“EI”) from a third party (rather than perform its own full due diligence on the client). The Regulations now require:
- that the level of the client identification undertaken by the third party be known. This can be accomplished by requiring the EI to be accompanied by the actual client identification documents (which, in essence, will be certified copies of the identification documents);
- that the EI’s own AML procedures are satisfactory. Realistically, this can only be achieved by a review by the FSP of the third party’s policies;
- confirmation that the third party will retain documentation under the time limit of its own AML regime; and
- confirmation that the third party will notify the FSP if any of the following happens: the client relationship terminates; the documentation is going to be destroyed; or the terms of the client relationship changes such that reliance on the EI is no longer acceptable.
It is important to note that a FSP relying on an EI from a third party remains liable for any failure by the third party to obtain and record satisfactory evidence of the identity of the ultimate client.
Can fund administrators continue to rely on an Eligible Introduction?
In practice, the majority of investor exemptions in respect of the requirement to collect full due diligence documentation, falls under either of the following categories: (i) funds being received from an account in the investor’s name with a Schedule 3 bank; or (ii) where the investor is regulated in its own right. An additional exemption is the acceptance (from a regulated third party) by the fund administrator of an EI. This avoids duplication in respect of the collection of full due diligence on the fund’s investors. If a fund administrator wishes to continue to accept EIs, the EI itself will need to be redrafted to reflect the policies stated in points (a) to (d) above, as will the fund’s policies and procedures.
Simplified client due diligence
The amendments to the Regulations have increased client identification requirements in certain circumstances and changed the criteria under which simplified client due diligence (usually exemptions) can be accepted. Specifically:
- where a FSP is required to maintain procedures to identify its clients and has doubts about the accuracy of any evidence of a client’s identity, it must obtain satisfactory additional evidence;
- simplified client due diligence measures (i.e. reliance on exemptions) will be unacceptable in high-risk scenarios. These scenarios may include:
- a client who is not physically present for identification purposes (i.e. non face-to-face business);
- politically exposed persons (“PEPs”); 6
- cross-border correspondent banking relationships; and
- where a risk assessment reveals a higher risk of money laundering.
The FSP’s AML policies and procedures will need to be updated to reflect these changes.
To the extent that a FSP has delegated the maintenance of their AML procedures, the FSP should ensure that appropriate policies exist in respect of the acceptance of simplified due diligence.
In addition to the existing requirements in respect of retention of client identification records, a FSP should also retain relevant account files and business correspondence for a period of five years from the termination of the relationship. This includes correspondence which may be relevant or useful to an investigation, including enquiries regarding complex or unusual transactions.
The FSP’s AML policies and procedures will need to be updated to reflect these changes.
To the extent that a FSP has delegated the maintenance of their AML procedures, the FSP should ensure that the delegation now includes the retention of business correspondence and account files.
Subject to the nature and size of its business, a FSP must now undertake an “internal” audit. This is in addition to the already existing requirement for a “financial” audit. Where implemented, the audit will assess:
- the overall integrity and effectiveness of the AML procedures, including client identification and internal controls;
- the risks and exposure to the business;
- compliance with relevant laws and regulations;
- monitoring of high risk transactions, relationships and reporting procedures; and
- training procedures and employees knowledge and awareness of the AML regime.
When is it necessary to undertake an internal AML audit?
CIMA’s guidance requirements to undertake an internal AML audit state that it should be appropriate to the size and scope of the FSP’s operations. In addition, CIMA states that FSP’s may satisfy that requirement by:
- Reliance on the internal AML audit of its parent company (where such an arrangement exists); and
- Periodic outsourcing of the internal AML audit through the use of an external vendor. Where the financial audit is outsourced, the AML could be undertaken by the same external vendor. However, unlike the financial audit that is conducted annually as mandated by law, an outsourced AML audit could be conducted less frequently if no major internal control issues have been identified.
Delegation of audit function
To the extent that a FSP has delegated the maintenance of their AML procedures, the FSP should (where applicable) ensure that the delegation now covers an internal AML audit.
Recognition of Guidance Notes by the Court
The Regulations now make it clear that the courts will take into account non-compliance with regulatory guidance (i.e. the Guidance Notes) in determining whether a FSP has complied with anti-money laundering legislation. In effect, this reinforces the legal scope of the Guidance Notes.
“Applicant for business”
The Regulations now further define what is meant by an “applicant for business” i.e. a client, which is defined as:
- a person acting on behalf of, or with the authority of the applicant for business; and
- the natural person or persons who ultimately own or control the applicant for business.
Access to information by MLRO
When considering an internal suspicious activity report, the Regulations now require that full (not just reasonable) access be given to the MLRO in respect of all information.
How should an existing Cayman investment fund respond to the recent changes to Cayman’s AML regime?
Pending any further guidance from CIMA, we recommend that an existing Cayman investment fund do the following:
- Expressly delegate the CO function;
- Amend its AML policies and procedures to reflect the changes by:
- including the requirement for the fund to undertake periodic internal AML audits that are appropriate to the size and scope of its operations;
- in relation to the fund’s retention policies, adding reference to business correspondence files and account files;
- updating its simplified client due diligence procedures;
- updating its policies regarding acceptance of EIs if it wishes to continue accepting EIs;
- Redraft the form EIs to comply with the changes in that regard (assuming it wishes to continue accepting EIs);
- Comply with the amended policies and procedures. To the extent that the fund has delegated some or all of the new requirements to a regulated party in a Schedule 3 country, it should ensure that the regulated party similarly includes those requirements in its own AML policies and procedures and complies with them.
“Relevant financial business” - Private Trust Company
The list of activities in Schedule 2 that constitute “relevant financial business” has been updated to include the provision of registered office services to a Private Trust Company (“PTC”).
Under regulations pursuant to the Banks and Trust Companies Law (2007 Revision), a Private Trust Company (as defined) that is registered with CIMA is no longer required to obtain a license to act as such. In addition, a PTC must satisfy the following requirements:
- it must have “PTC” or "Private Trust Company" in its name;
- it must make an annual declaration to the effect that it is only carrying on business with "connected persons" (typically, some sort of family connection);
- it must provide the names of its directors; and
- it must also provide details of the trust company with which it has its registered office, which must be a licensed trust company.
A provider of registered office services to a PTC and the PTC itself will need to consider which has responsibility for, and will comply with, Cayman AML regime. It is hoped that CIMA will shortly issue guidance about which entity has those responsibilities.