Lucy Frew
Partner
Cayman Islands
Oct 16, 2024
Key takeaways
All financial service providers ("FSPs") subject to the Cayman Islands Anti Money Laundering Regulations (as amended) (the "AML Regulations") have initial and ongoing customer-related obligations and must implement internal controls. These include an independent audit function ("AML Audit") to periodically test a FSP's policies, procedures, systems and controls for anti-money laundering, counter-terrorist financing, counter-proliferation financing and sanctions compliance (collectively "AML/CTF/CPF/Sanctions"). The Cayman Islands Monetary Authority ("CIMA") has emphasised the importance of the obligation to conduct independent audits in many publications and during inspections.
The AML Regulations require all FSPs on a mandatory basis to have an effective risk-based independent AML Audit function. FSPs include investment managers, advisors, dealers and arrangers, mutual funds, private funds, fund administrators, trust and corporate service providers, banks, certain insurers, virtual asset service providers, money service businesses, estate agents, precious stones and metals dealers and others. Adherence to the AML Regulations is required for FSPs adopting group standards as well as those operating in the Cayman Islands only.
The AML Audit should test not only the content of the FSP's policies and procedures but also implementation in practice. In this context the term "audit" is used by CIMA in the sense of testing the efficacy and efficiency of the FSP's AML/CTF/CPF/Sanctions systems, policies and procedures and is separate from and different to internal audit requirements more generally or financial audits.
The AML Regulations do not prescribe the content or frequency for the AML Audit but CIMA's Guidance Notes on the Prevention and Detection of Money Laundering, Terrorist Financing and Proliferation Financing in the Cayman Islands provide that the AML Audits should be regular and commensurate with the FSP's nature, size, complexity and the risks identified during its documented AML/CTF/CPF/Sanctions risk assessment.
The FSP's board, managing member general partner or trustee, as the case may be, is ultimately responsible for the FSP's compliance with the AML Regulations, including the obligation to have an appropriate effective risk-based independent AML Audit function. A FSP can demonstrate clearly apportioned roles for countering financial crime where its anti–money laundering compliance officer ("AMLCO") or other audit, compliance or review function ensures that regular AML Audits take place and that any AML Audit report is presented directly to the board or equivalent or relevant committee.
AML Audits do not necessitate engaging a professional audit firm. However, an FSP's AMLCO, money laundering reporting officer and deputy money-laundering reporting officer will not be considered as independent. In-house compliance teams with any operational involvement will also not meet the expected independence criteria. Law firms or compliance consultants can provide a solution for entities without in-house internal audit capabilities. The AML Audit function can be outsourced, subject to compliance with CIMA's outsourcing requirements, and for FSPs with no or few staff, outsourcing is the preferred approach.
The AML Audit should test the FSP's AML/CTF/CPF/Sanctions systems, including:
Any legal or natural person who breaches the AML Regulations commits an offence and is liable on summary conviction to a fine of up to approximately USD 600,000 or on indictable conviction to an unlimited fine and imprisonment for two years. There are also administrative fines that can be imposed by CIMA through inspections or otherwise.
CIMA has indicated through inspection derived data that some FSPs are not complying with the requirement to undertake an independent AML Audit. This has led to an increased scrutiny on compliance with the independent AML Audit obligation and broader AML/CTF/CPF/Sanctions regime. This included specific statistics showing adherence to the requirement by fewer than 50% of inspected entities. Follow up industry engagement circulars and mandatory surveys have similarly reinforced CIMA's focus on this issue.
A failure to conduct independent AML Audits amounts to non-compliance with the AML Regulations. Given the regulatory landscape and the increasing number of administrative fines, conducting regular independent AML Audits will allow a FSP to identify any compliance issues and remediate in good time.
Authors
Partner/Cayman Islands
Partner/Cayman Islands
Associate/Cayman Islands
Key contacts