Entities captured under the Securities Investment Business Act are coming under more regulatory scrutiny than ever – a trend likely to further increase in tandem with the pace of change. This means it has never been more important to undertake due diligence on providers, understand the various Rules and Statements of Guidance and get solid advice, writes Laura McGeever, Director at Paradigm Governance.
In the last couple of years entities captured under the Securities Investment Business Act (As Amended) (SIBA) have come under increased scrutiny by the Cayman Islands Monetary Authority (CIMA or the Authority). Historically, the SIBA entity has been a preferred option for persons carrying on securities investment business (SIB) and examples of these are investment advisors, investment managers, arrangers of deals and broker-dealers. For the purposes of this piece, we will focus on Registered Persons. [1]
According to data released by CIMA as of December 2022, the number of Registered Persons under SIBA was 1,654 and 47 SIBA Licensees.[2]
In terms of the evolution of the SIBA, it was amended and came into effect in 2019 with the aim to implement an enhanced supervisory regime for Registered Persons, who were formally “Excluded Persons”. Such persons were required to re-register with CIMA as a “Registered Person” by 15 January 2020.
This triggered a change in the level of regulatory monitoring and oversight of SIB entities as market participants have witnessed in the last few years. Furthermore, there has been an increase in enforcement action via the administrative fines regime.
Current status
The Cayman Islands as a jurisdiction continues to be an attractive option for persons carrying out SIB, however, clients looking to register under this framework must carefully consider the full requirements and obligations when operating as either a Registered Person or a Licensee. Attention and diligence should be undertaken on core service providers in terms of their capabilities, experience, expertise and regulatory status to ensure that various aspects of the laws, regulations and statements of guidance are adhered to and complied with. Those service providers include Directors, AML officers, registered agents, and providers of outsourced material functions. However, as people serving and advising in this area will know, the rules and regulations affecting an investment manager / investment advisor have drastically changed and there does not appear to be any let up on the regulatory evolution impacting these entities.
Ongoing obligations for Registered Persons and Licensees
Registered Persons and Licensees are required to submit an annual declaration to CIMA via the REEFS Portal by 15 January of each calendar year. The filing is typically facilitated by Cayman Counsel or the Registered Agent.
The annual declaration should disclose any material changes to the registration since the previous declaration. Notwithstanding, the fact that the Registered Person or Licensee is required to notify CIMA of any material amendments within 21 days of the occurrence. The following are material changes:
- Changes in directors or senior officers (this includes changes in AML officers and Principals of the General Partner/Managing Members);
- The issue, voluntary transfer or disposal of any legal or beneficial interest in any shares or interests;
- Ceasing to carry on SIB regulated activity in the Cayman Islands; and
- Any modifications to the information originally filed by the Registered Person or Licensee in its application (the exception to this relates to client lists which need only be updated as part of the annual declaration due by 15 January in each calendar year).
The related CIMA annual license fee must also be paid by the 15 January deadline to avoid penalties.
From a General Registry standpoint, the Economic Substance Declaration, Annual Return and related annual license fees must be submitted and paid by 31 January each year in order to be able to obtain a certificate of good standing.
Fitness and probity
Registered Persons and Licensees are required to ensure that shareholders, directors and senior officers are “fit and proper” persons.
Such persons are required to submit a Personal Questionnaire (PQ) to CIMA as part of initial registration and licensing.
CIMA will not grant its approval of the Registered Person or Licensee until they are satisfied as to the fitness and probity of the controllers, management, and beneficial owners.
Moreover, there is a requirement to appoint a minimum of two directors who are individuals or one corporate director. The directors must comply with the Directors Registration and Licensing Act (As Revised) and remain in good standing as it relates to the payment of annual license fees. Directors must also provide additional confirmations concerning any convictions of criminal offences involving fraud or dishonestly and disclose whether they have been subject to any adverse findings, financial penalties, sanctions, or disciplinary actions by any regulatory or professional bodies. The required declarations and annual fees are processed via https://gateway.cimaconnect.com/
Cayman AML regulations and guidance notes
SIBA entities are deemed to be undertaking “Relevant Financial Business” pursuant to the Proceeds of Crime Act (As Revised) (PCA) and under the Anti-Money Laundering Regulations (As Revised) (AMLRs) and the Guidance Notes on the Prevention and Detection of Money Laundering and Proliferation Financing in the Cayman Islands (the Guidance Notes) (AML Regime).
In practical terms, the SIB entity must identify natural persons to fulfill the roles of Anti-Money Laundering Compliance Officer (AMLCO), Money Laundering Reporting Officer (MLRO) and Deputy MLRO from a contingency standpoint (the AML Officers).
Our team has previously discussed and dissected the role and responsibilities of the AML Officer functions in an earlier update which can be located here https://paradigm.ky/news/critical-considerations-when-selecting-aml-officers-its-important-to-get-it-right/
Fundamentally and from a director or operator perspective, the licensee or Registered Person has ultimate responsibility for compliance with the AMLRs and where an AML Officer is outsourced, it is crucial that those charged with governance have reviewed the scope of service agreements in detail as well as undertaking a regular review of policies and procedures due to the pace of regulatory change. The expectation is that those charged with governance will conduct due diligence and materiality assessments on outsourced providers performing material functions.
The validation and checks around this piece hinge around the adequacy and effectiveness of the business risk assessment from a control perspective, as well as a review of outsourced providers. Typically, the internal audit function will take a deep dive into this to provide comfort to those charged with governance.
Furthermore, in light of the geopolitical and macro events that ensued in 2022 concerning Russia and Ukraine, the Cayman Islands as a jurisdiction has navigated a plethora of sanctions updates and has required Boards of Directors and AML Officers to proactively address notifications to the Financial Reporting Authority (FRA) in respect of designated persons and entities. These sanctions are subject to continual updates and so directors and operators of SIB entities must ensure that regular screening takes place according to OFSI, UK, OFAC, UN, EU updates. Practically speaking, there should be an understanding of the type of screening system that is being used to capture updates to these lists, the screening methodology (i.e. who is being screened such as beneficial owners with 10% or more holdings, related parties, directors, as well as the legal entity itself). There should also be an understanding of the frequency of the screening process, the technology that is being used and steps taken to ensure that it is sufficient and scalable to process data based on the nature, size and complexity of the entity and its client base. The Registered Person or Licensee must be able to demonstrate to CIMA that it has a robust and adequate screening system in place and where this function is outsourced to a third party or automated screening system, this must be clearly documented.
Registered Persons are required to comply with targeted financial sanctions requirements under the Terrorism Act (As Revised), and the Proliferation Financing (Prohibition) Act (As Revised).
Any failures to comply or circumvent an asset freeze is a criminal offence and those charged with governance / and or the AML officers may also be held personally liable and subject to fines under the Administrative fine regime. Monetary Authority (Administrative Fines) Regulations, 2017 (cima.ky)
Statements of guidance
There are various statements of guidance (SoG) which a SIB Registered Person or Licensee must comply with.
As part of establishing the governance and controls framework, operators and Directors of SIBA entities should assess the requirements and develop policies and procedures based on the size, nature and complexity of the organization.
The SoGs help formulate the pillars of the entities compliance program and seek to document the control framework. We do not propose to dissect the SoGs in detail which are located at https://www.cima.ky/, however, the formulation and documentation of adequate policies and procedures covering the SoGs below cannot be underestimated. CIMA’s interactions with Registered Persons and Licensees is pragmatic and one key take away is that if a policy or procedure is not documented, it simply does not exist.
The appointment of competent AML officers and specifically the AMLCO to design an adequate and effective AML program is a key step to set the correct compliance tone and culture from the outset. All policies and procedures should be approved by those charged with governance.
The second prong is to have an established internal audit plan to kick the tyres on the existing controls framework.
The following is a list of the current SoGs:
Rule and Statement of Guidance on Internal Controls*
Statement of Guidance on Corporate Governance*
Statement of Guidance on Succession Planning
Rule and Statement of Guidance on Cyber Security*
Statement of Guidance on Outsourcing*
Statement of Guidance on business continuity
Statement of Guidance for Professional Indemnity Insurance
Statement of Guidance on Nature, Accessibility and Retention of Records*
Data Protection Act requirements
*These have recently been updated as of April 2023.
Arguably, one of the most topical updates concerns the proposed Rule and Statement of Guidance on Internal Controls. After consultation with the industry, the updated Rule and Statement of Guidance on Internal Controls for Regulated entities come into effect on 14 October 2023. The Rule will further clarify the obligations imposed on all regulated entities (effectively all entities which appear on CIMA’s website / supervised by the Authority will be captured by this new ruling).
In the context of this article, SIB entities will be within scope of this Rule. The updates will follow the International Organization of Securities Commission (IOSCO) which is the global standard setter for securities markets regulation. IOSCO establishes that appropriate risk management frameworks and internal controls systems are of paramount importance for a firm’s control environment.
Essentially, SIB entities will need to perform regular independent audits of their internal controls systems to test operational effectiveness. There will be increased costs resulting from this new requirement specifically around developing the framework, engaging an independent third party to conduct an audit and of course the ongoing monitoring and resourcing costs.
However, it is worth highlighting that while some of CIMA’s circulars are specific to SIB Licensees, in practice the industry has noted that these have been applied to both Registered Persons and Licensees during the regulatory inspection process. CIMA views the SoGs as minimum standards and therefore they are not prescriptive or exhaustive. With that in mind, it is therefore prudent that consideration is given to each SoG and its application to the business given the specific nature, size, complexity, and its operations.
AML
Due to the large size and highly international nature of the Cayman Islands SIB sector, regulated SIBs are considered to have a medium high-risk rating[3].
In recent years, CIMA as the Competent Authority has actively engaged with industry to share insights and expectations for those carrying on SIB, most notably, a detailed circular was issued in July 2022 concerning “Key findings of Registered Persons from On-Site Inspections”. This notice provided the industry with an overview of key findings and common recurring themes which arose as part of the on-site inspection process.
There are a few key areas to highlight where the Authority noted deficiencies:
- Policies and procedures:
- Weaknesses around undertaking know your client customer due diligence (CDD) depending on the risk assessment, verification and ongoing monitoring,
- lack of processes for internal reporting and the adequacy of using a risk-based approach as it related to the licensee,
- Infrequent reviews of policies and procedures to contemplate changes in Regulations and Guidance Notes, and
- deficiencies around record keeping procedures.
- Failures around employee screening process during the recruitment process.
- Deficiencies around employee training, retention of training records, frequency of training, training for specific roles (i.e. compliance staff / Board of Directors), content of training specific to the Cayman Islands Acts, Regulations and Guidance Notes.
- Deficiencies concerning the risk assessment, consideration of key risk factors (product, services, delivery channels, geographies etc.). Inadequate documentation of the risk rating methodology.
- Governance Framework – inadequate oversight function of the Board in terms of frequency of meetings, discussion of AML and compliance issues, requirements for the Board to approve material updates to policies and procedures.
- Independent audit function – inadequate documentation of the internal audit function, frequency of reviews, independence of this function separate from compliance, those undertaking the risk assessment of in client facing functions.
- Outsourcing – inadequate documentation / policies outlining key outsourced providers undertaking material functions. Absence of robust contractual arrangements and deficiencies around materiality assessments, due diligence and testing of Ops, Board oversight of providers, irregularities around reviews.
More recently in October 2022, CIMA engaged with service providers in the Cayman Islands and issued AML questionnaires to SIB persons. There were approximately 500 questions covering the following:
- Customer risk
- Products and services risk
- Distribution/channel risk
- Oversight of the governing body
- Senior management
- The compliance function
- Training
- Record keeping
- ML/TF/PF risk assessment
- AML/CFT/CPF compliance programme policies and procedures
- Sanctions screening and monitoring
- Transaction monitoring
- SARs / STRs
- Outsourcing arrangements.
It is likely that these questionnaires will become an annual feature and so directors and operators should consider these focus areas when conducting annual risk assessments and monitoring compliance with the various SoGs.
In January 2023, Registered Persons and Licensees received a communication from CIMA in relation to 2023 Internal Audit Plans and the requirement to undertake a regular review of their internal controls and infrastructure to ensure that they are suitably robust in consideration of the nature and scale of their operations.
In March 2023, Registered Persons and Licensees received a communication from CIMA in relation to the events surrounding Silicon Valley Bank, Signature Bank and Silvergate Bank. CIMA requested details of any business relationship that regulated entities had with the impacted banks.
All of these regulatory touchpoints demonstrate a keen focus on the SIB which is unlikely to dissipate.
Internal audit
The CIMA Statement of Guidance on Internal Control expects that a regular review of the entity’s control framework be undertaken. Given the dynamic nature of a business and changes in client base, outsourcing arrangements, sanctions events the compliance program must be dynamic and also scalable as the business grows. The requirement for an internal audit seeks to give comfort not only to the regulatory authority but also the Board and other stakeholders that the control framework is suitably robust to manage emerging risks that may present. Therefore, internal audit should be viewed as an ally to the business rather than an adversarial exercise. As the internal audit is quite often a prelude to an external or regulatory audit, it inevitably serves as a good litmus test and an opportunity to remediate and enhance controls.
The appointment of an independent AML auditor is a core control. Careful consideration must be given to determining who can perform this role as they should be both suitably qualified and independent from the compliance function. In other words, they should be fully independent of those undertaking the risk assessment and those performing the role of compliance officer / MLRO / DMLRO. Registered Persons and Licensees should establish a policy and guidelines around the internal audit framework and how a determination is made as to selection of suitable persons.
The aim of the internal audit is to test the implementation and adequacy of the controls and systems framework based on the existing documented policies and procedures. The internal audit should focus on the enterprise-wide business risk assessment, apply a risk-based approach to focus on higher risk areas and determine if there are gaps or deviations from the established risk profile of the entity as well as noncompliance with regulatory requirements.
The internal audit has been an area where CIMA has repeatedly identified weaknesses as seen in its key findings report.
Recent regulatory updates
On the 27 March 2023, the Cayman Islands government proposed seven amendment bills, one of which relates to the Securities Investment Business (Amendment) Bill, 2023. The genesis behind these amendments is to strengthen the Cayman Islands Monetary Authority’s powers and to apply proportionate and dissuasive actions to all types of legal persons within its supervision.
Most notably, this bill seeks to extend CIMA’s sanctions regime to legal persons who fall under CIMA’s supervision i.e. partnerships, exempted liability partnerships, limited liability partnerships, partnerships of such partnerships and unincorporated associations other than a partnership, and also the persons concerned in the management or control of such associations.
The amendments to the Monetary Authority Act will permit CIMA to share non-public information of criminal conduct uncovered during it carrying out its duties as an overseas regulatory authority.
The Monetary Authority (Amendment) Bill, 2023 contemplates certain amendments that would provide greater transparency and a step to enhance international cooperation with overseas regulatory authorities, simplify the exchange of information process and extending the application of the disgorgement principle, to prevent persons who breach this law from gaining financially.
For those who have navigated the FATF Mutual Evaluations and grey listing over the last few years, it does appear that these proposals provide for enhanced collaboration and cooperation given the pressure that the jurisdiction has been subject to in recent years.
Economic substance requirements
A Registered Person undertaking “Relevant Activity” under the International Tax Cooperation (Economic Substance) Act (2021 Revision) (ES Act) must also comply with Economic Substance Regulations and satisfy the Economic Substance Test. A determination must be made at the outset to determine if the entity is within scope. As an example, an entity which acts as a discretionary manager of an investment fund as defined in the ES Act will be deemed to be carrying out fund management business.
Directors and operators of Registered Persons under the SIBA should monitor compliance with the ES Act on a continual basis and ensure compliance with the Economic Substance test.
For the purposes of this article, the specifics of the ES Act and considerations for Registered Persons have not been explored in detail given the depth of these regulations and also the compliance requirements depending on the “Relevant Activity”.
Future considerations
What holds true is that regulatory compliance in the jurisdiction will continue to increase, the pace of change cannot be underestimated and for users of Cayman, it has never been more important to undertake due diligence on your chosen providers as a trusted resource so that they can provide solutions as well as appointing a multi-disciplinary and experienced team which takes an active role in managing and mitigating risks.
At its core, increased regulation seeks to protect users of the jurisdiction and safeguard stakeholders so that the Cayman Islands retains a reputation for balanced and prudent regulation which rivals competing jurisdictions.
Please check out the Paradigm Governance team at our website www.paradigm.ky to discuss how we can assist with your governance solutions. Our industry experts have over 250 years of collective experience spanning various jurisdictions and professional qualifications who can help you navigate the current regulatory environment.
Paradigm is a fully regulated and licensed as a Company Manager by the Cayman Islands Monetary Authority.
This article does not and is not intended to constitute legal advice.
[1] A Registered Person means a person specified in Schedule 4 of the Securities Investment Business Act (as amended) and who has registered with CIMA in accordance with Section 5(4).
[2] https://www.cima.ky/upimages/publicationdoc/CIMAFACTSHEET-De_1679337057.pdf
[3] https://www.cima.ky/cima-launches-first-financial-stability-report