Walkers' regulatory partners Lucy Frew and Ian Mason consider the learning points for financial services providers (FSPs) from recent enforcement actions by Cayman regulatory bodies.

While financial services and related regulation on the Cayman Islands is not concentrated within a single authority, the Cayman Islands Monetary Authority (CIMA) is responsible for most areas of financial regulation. This includes the licensing of banks, investment funds, securities, insurance, money services and corporate services.

With the exception of actions under the Directors Registration and Licensing Act (as amended) in 2020-21, where individual directors were de-registered for non-compliance with their obligations, CIMA's caseload has tended to be fairly steady year-on-year. However, there are clear indications for FSPs of key areas of particular regulatory focus and likely future enforcement actions.

The total value of adminstrative fines imposed by CIMA for breaches of the Anti-Money Laundering Regulations ("AML Regulations") has increased year on year since 2020. Indeed the $4.9m levied in fines last year marks a more than eight fold increase on the 2020 figure, although most of that resulted from one case.

Taking action for breaches of the AML Regulations is clearly a priority for CIMA, as there have also been cases that CIMA lost. Regulators are often criticised for bringing only the "easy" cases to win, and focusing on the low-hanging fruit. However, it appears that CIMA has an appetite to bring more challenging cases and test out the limits of its enforcement powers. Ultimately, this will be subject to the courts' review.

It seems reasonable to predict that CIMA will continue to place a strong emphasis on firms having adequate AML controls and procedures in place. So, what lessons are there for FSPs?

A number of AML fines resulted from onsite inspections and, in July 2022, CIMA issued a Supervisory Information Circular on the "Key Findings of Registered Persons from Onsite Inspections". FSPs should pay close attention to the notable deficiencies identified during these inspections, relating to:

  • AML/Countering the financing of terrorism (CFT) policies and procedures;
  • customer due diligence and ongoing monitoring programmes;
  • employee training and awareness programmes;
  • oversight of outsourced AML/CFT compliance functions;
  • implementation of an independent and effective risk-based AML/CFT audit function;
  • governance oversight of the AML/CFT compliance function by the Board of Directors ("Board") or its equivalent;
  • internal reporting policies and procedures;
  • assessment of risk and application of a risk-based approach ("RBA"); and
  • record keeping policies and procedures.

The clear message is that all financial services providers should focus on strengthening their regimes with respect to policies and procedures, ongoing monitoring, employee training and oversight of compliance functions. In doing so, FSPs reduce the risk of both their businesses being abused by criminals and of incurring regulatory fines.

A growing area of CIMA enforcement work is in the virtual asset and crypto sector. The Cayman Islands, like other jurisdictions such as the UK, Dubai and Singapore, has established itself as a FinTech hub to attract virtual asset firms. A legislative virtual assets regime, the Virtual Assets (Services Providers) Act was implemented on 31 October 2020, and CIMA has registered 18 virtual asset service providers so far.

CIMA is actively policing the virtual asset perimeter by requesting entities either apply to register as a virtual asset service provider or cease and desist if they are providing virtual asset services as a virtual asset provider and have not registered. We expect this focus to continue, as it is in the best interests of the Cayman Islands to have a robust regulatory regime. Of course, if CIMA's interpretation of the legislation is challenged, we may see some resulting court cases.

It is important for FSPs to bear in mind that there are a number of bodies in the Cayman Islands with regulatory powers and other areas where vigilance is required in order to remain compliant.

The Department for International Tax Cooperation (DITC), a department in the Ministry of Financial Services and Commerce, is responsible for administering all of the Cayman Islands' legal frameworks for international cooperation in tax matters, and for carrying out the functions of the Tax Information Authority, the Cayman Islands competent authority. This includes enforcing the Economic Substance regime, the Common Reporting Standard (CRS) and the Foreign Account Tax Compliance Act (FATCA). The DITC has imposed fines for failing to comply with the economic substance regime and for failings under the CRS regulations. We would expect this type of enforcement action to continue in the future.

The Registrar of Companies has the power to impose notices of investigation, decision and administrative fines for non-compliance with the Beneficial Ownership Regime. In 2022, the Beneficial Ownership Regime was amended to include a duty to keep Registers up to date. This applies to in-scope entities as well as Corporate Service Providers. Fines for non-compliance are understood to include CI$5,000 for a single breach and much higher penalties for multiple breaches where there was a failure to file beneficial ownership information for multiple entites in one case. These failures occurred where required particulars, such as passport details, expired or changed as entitities are obliged to keep the Beneficial Ownership Register up to date.

Finally, the Supervisory Authority for data protection is the Ombudsman, which has the power to serve enforcement orders and a monetary penalty for a breach of the Data Protection Act. In the last year, it has published five enforcement orders for various violations of the eight data protection principles. No fines have been made public, but findings and the related recommendations to become compliant have been made public.

In one case, the Ombudsman served an enforcement notice on a financial services company that did not meet the requirements of keeping personal data safe by using both adequate technical and organisational measures. In this instance, the company was not fined as it swiftly undertook satisfactory post-remediation steps. However, the Ombudsman required the company in question to remain compliant by continuing to carry out regular audits and review of its security posture, at least on an annual basis. We expect a strong focus on enforcement action for data breaches to continue.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.