Enforcement actions in the Cayman Islands signal future tack

Analysis of recent moves by the Cayman Islands authorities suggest a more robust approach is coming.

The responsibility for financial services and related regulation on the Cayman Islands is not concentrated within a single regulatory authority. The Cayman Islands Monetary Authority (CIMA) has responsibility for most areas of financial regulation (including the licensing of banks, investment funds, securities, insurance, money services and corporate services).

The Department for International Tax Cooperation (DITC), a department in the Ministry of Financial Services and Commerce, is responsible for administering all of the Cayman Islands’ legal frameworks for international cooperation in tax matters, and for carrying out the functions of the Tax Information Authority, the Cayman Islands competent authority. This includes enforcing the Economic Substance regime, the Common Reporting Standard (CRS) and the Foreign Account Tax Compliance Act (FATCA).

The Competent Authority for the Beneficial Ownership Regime in the Cayman Islands is the Registrar of Companies. The Supervisory Authority for data protection is the Ombudsman.

Summary of enforcement action

CIMA has published the statistics below for cases involving use of its formal enforcement powers:

The significantly larger numbers in 2020-2021 include 1,375 and 1,303 actions under the Directors Registration and Licensing Act (as amended), where individual directors were de-registered for non-compliance with their obligations. Otherwise, the caseload is fairly steady.

CIMA has powers to impose administrative fines. The following fines have been imposed for breaches of the Anti-Money Laundering Regulations (AML Regulations):

CI $1 = US $1.20

It will be noted that in 2022 there was a significant uplift in fines. Most of this resulted from one case, Intertrust Corporate Services (Cayman) Limited v CIMA, in which CIMA imposed a fine of CI $4,232,607 ($5,082,138)for AML customer due diligence failings.

Taking action for breaches of the AML Regulations is clearly a high priority for CIMA, as there have been several other cases in this area, including two high profile cases which CIMA lost.

In Maples Corporate Services Limited and Maples FS Limited v Cayman Islands Monetary Authority, the applicant firms successfully judicially reviewed CIMA’s findings in an investigation report that they had failed to conduct adequate due diligence on their customers under the AML Regulations. CIMA had taken a broad view of the obligations imposed on firms in terms of verification, monitoring and record-keeping.

The judge considered CIMA to have adopted what he found above to be “an ‘envelope-pushing’ approach to the construction… of Regulation 12 (1) of the AMLRs, as they apply in the limited context of registered office service providers“. The decision is helpful for all financial services providers and in particular for corporate services and trust providers.

Given the Cayman Islands’ reputation as a major hub for investment funds, it is unsurprising that CIMA also used its enforcement powers against funds.

In Sterling Asset Management International Ltd v Cayman Islands Monetary Authority, the firm successfully appealed against a fine of CI$299,050 ($359,073) for alleged due diligence failings under the AML Regulations, and failing to carry out all appropriate sanctions checks.

In another AML case, CIMA imposed fines fines totalling CI$116,680 ($140,099) on ICC Intercertus Capital (Cayman) Ltd for failing to comply with enhanced customer due diligence requirements. Similarly, CIMA fined Lion Brokers Limited CI$261,990 ($314,574)Lion Brokers Limited for issues relating to the application of enhanced customer due diligence measures, failing to conduct adequate risk assessments; and failing to conduct and document all appropriate sanctions checks.  

Both these cases had resulted from onsite inspections by CIMA, and similar failings had also been identified during a previous inspection.

Given the Cayman Islands’ reputation as a major hub for investment funds (12,995 mutual funds and 15,854 private funds licensed or registered as at December 21, 2022), it is unsurprising that CIMA also used its enforcement powers against funds. These were generally more routine cases involving failure to submit audited accounts and pay annual fees to CIMA, resulting in cancellation of the funds’ registrations.

However, there were only four cases involving funds listed on the CIMA website in 2022, so action against funds is relatively rare, given the number of funds licensed or registered.

CIMA also brought one case against an insurer, Providers Re SPC, for breaching the margin of solvency requirements under the Insurance Act 2010. The firm was fined CI$16,950 ($20,352), but subsequently applied for voluntary winding up.

Possible future action

Although it is clearly not possible to predict with certainty what future enforcement action may be taken, some tentative predictions may be made.

Adequate AML controls

CIMA will continue to have a strong emphasis on firms having adequate AML controls and procedures in place. As stated above, several of the AML cases resulted from onsite inspections. In July 2022, CIMA issued a Supervisory Information Circular on the “Key Findings of Registered Persons from Onsite Inspections”. The inspections identified a number of notable deficiencies relating to: 

  • AML/Countering the financing of terrorism (CFT) policies and procedures; 
  • customer due diligence  and ongoing monitoring programmes; 
  • employee training and awareness programmes; 
  • oversight of outsourced AML/CFT compliance functions; 
  • implementation of an independent and effective risk-based AML/CFT audit function; 
  • governance oversight of the AML/CFT compliance function by the Board of Directors (Board) or its equivalent; 
  • internal reporting policies and procedures; 
  • assessment of risk and application of a risk-based approach (RBA); and 
  • record
  • keeping policies and procedures. 

The clear message was that all (financial services providers) FSPs should focus on strengthening their regimes with respect to policies and procedures, ongoing monitoring, employee training and oversight of compliance functions. In doing so, FSPs can reduce the risks of their businesses being abused by criminals.

CIMA has taken enforcement action and imposed nine fines to date using its administrative powers against FSPs for breaches of the AML Regulations. We therefore expect to see more AML/CFT/CPF inspections by CIMA and more resulting enforcement action is expected, although not all virtual asset businesses fall within scope.

Virtual assets

Another area where CIMA is active in enforcement (although less publicly) is in the virtual asset and crypto sector. The Cayman Islands, like a number of other jurisdictions (eg the UK, Dubai, Singapore) has established itself as a Fintech hub to attract virtual asset firms. There is already a legislative virtual assets regime, the Virtual Assets (Services Providers) Act which was implemented on October 31, 2020. CIMA has registered 18 virtual asset service providers so far.

However, we are aware that CIMA has been actively policing the virtual asset perimeter, and we are aware of letters from CIMA requesting an entity to apply to be registered as a virtual asset service provider or cease and desist if they are providing virtual asset services as a virtual asset provider.  We expect CIMA to continue to police the perimeter actively, and if CIMA’s interpretation of the legislation is challenged robustly, some court cases may result.

Regulators taking a more robust approach

Regulators are often criticised for bringing only the “easy” cases to win, and focusing on the low-hanging fruit. However given the comments by the judge in the Maples case about “envelope-pushing”, and the robust approach taken in the Sterling Asset Management case, it appears that CIMA has an appetite to bring more challenging cases, and test out the limits of its enforcement powers, although ultimately this will be subject to the courts’ review.  It will be interesting to see if this robust approach continues.

The DITC does not provide any information on its website regarding enforcement notices or penalties. However, we are aware that the DITC has imposed fines for failing to comply with the economic substance regime, and for failings under the CRS Regulations. We would expect this type of enforcement action to continue in the future.

Beneficial ownership

The Registrar of Companies has the power to impose notices of investigation, decision and administrative fines for non-compliance with the Beneficial Ownership Regime. In 2022 the Beneficial Ownership Regime was amended to include a duty to keep Registers up to date. This applies to in-scope entities as well as Corporate Service Providers. 

Notices are non-public but it has been noted that there are notices and fines for non-compliance including CI$5,000 ($6,004) for a single breach and much larger fines for multiple breaches where there was a failure to file beneficial ownership information for multiple entities in one case. These have occurred where required particulars have changed, such as expired passports, as an entity has an obligation to keep the Beneficial Ownership Register up to date.

Data protection

The Ombudsman may serve enforcement orders and a monetary penalty for a breach of the Data Protection Act. In the last year, they have published five enforcement orders for various violations of the eight data protection principles. The Ombudsman has not published any fines but rather findings and recommendations to come into compliance. 

In one case, the Ombudsman served an enforcement notice for a cybersecurity incident for a financial services company. It was found that the company did not meet the requirements of keeping personal data safe by using both adequate technical and organisational measures. 

However, the company was not fined because the Ombudsman found the Company swiftly undertook satisfactory post-remediation steps. The Ombudsman required the Company to remain compliant by continuing to carry out regular audits and review of its security posture, at least on an annual basis. We expect enforcement action for data breaches to continue.

Ian Mason and Lucy Frew, are partners in the Global Regulatory and Risk Advisory Group, Walkers (Cayman) LLP.

Ian is a highly experienced senior financial services regulatory, financial crime and Fintech lawyer. He is a former Head of Department in the Enforcement Division at the UK regulator (now FCA).

Lucy brings more than 20 years’ experience as a specialist financial regulatory and risk management lawyer. She also has in-house experience as legal counsel at a global bank and in the Enforcement Division at the UK’s FCA.