Our views on CIMA’s latest AML / CFT Activity Report

By Scott Blench

The Cayman Islands Monetary Authority (“CIMA”) recently published the annual Anti-Money Laundering ("AML") and Counter-Terrorist Financing ("CFT") Activity Report (the "Report") for 2022. The Report sets out CIMA’s AML / CFT activity and risk-based approach (“RBA”) to on-site inspections during the period and found that 940 requirements were issued across 88 on-site inspections. CIMA will continue to take robust and prompt action where it finds that regulated entities are not meeting the standards required by the Anti-Money Laundering Regulations (2023 Revision), including enforcement action and fines where appropriate.

Grant Thornton’s analysis of the common deficiencies identified, and our recommendations are set out below.

Of the 940 requirements issued, 178 requirements were for Internal Controls. This included:

• Lack of evidence of AML / CFT audits being conducted.
• Lack of evidence of the independence of the person conducting the AML / CFT audit.

We recommend that Financial Service Providers (“FSP”) carrying out relevant financial business conduct regular independent AML / CFT audits. The frequency of the audit must be commensurate with nature, size, complexity of the entity, and consider the risks identified during the business risk assessment. FSPs should maintain internal audit procedures that are periodically reviewed and approved by the Board of Directors (“Board”) / Management.

180 requirements were issued for Client Due Diligence. This included:

• Incomplete or inadequate Client Due Diligence (“CDD”), including CDD measures that were not reliable or independent.
• Inadequate enhanced due diligence for high-risk clients.

We recommend that FSPs maintain procedures for client identification and verification, and ongoing monitoring. Robust controls must be implemented to ensure CDD documentation is maintained and updated in line with the risk-based ongoing monitoring procedures, including periodic reviews and trigger events. The design and operating effectiveness of the Board / Management approved procedures should be subject to regular independent AML / CFT audits, with a larger sample focusing on high-risk clients.

160 requirements were issued for risk-based approach. This included:

• Inadequate evidence of the application of a RBA in relation to the size, nature and complexity of the operations and client relationships.
• Inadequate evidence that all relevant risk factors were considered to determine the level of overall client risk.

In applying a RBA, we recommend that FSPs maintain RBA procedures and document a business risk assessment (“BRA”) to demonstrate that all relevant risk factors and sources have been considered in determining the overall risk of money laundering and terrorist financing. The BRA should identify the inherent and residual risk regarding the FSPs products, services, delivery channels, customer types and geographical locations. The BRA, client risk assessment and RBA procedures should be periodically reviewed and approved by the Board / Management and subject to regular independent AML / CFT audits.

Other common deficiencies and requirements issued by CIMA related to:

• Inadequate AML / CFT policies and procedures.
• Insufficient evidence to demonstrate AML / CFT training was implemented and conducted.
• Inadequate Sanctions screening, including lack of evidence of timely screening as sanctions lists were updated.
• Inadequate or incomplete ongoing monitoring in relation to periodic reviews and transaction monitoring.

How we can help

Don’t wait for a regulatory inspection to highlight deficiencies and costly remediation. We can provide proactive advisory and independent assurance that your company’s policies, procedures, and practices are reasonably designed to comply with various CIMA regulations.

Our Business Risk Services professionals bring in-depth knowledge of the financial services industry, with expertise in AML / CFT compliance, risk management, and internal audit. We are at the forefront of any new CIMA legislation and work with our clients to help ensure regulatory compliance. Connect with us for your risk assessment and tailored internal audit plan.