In this briefing, we consider how to best to prepare for, manage and respond to an on-site inspection made by the Cayman Islands Monetary Authority (CIMA) and address some frequently asked questions for regulated entities in relation to such inspections.
Introduction
CIMA has powers, under the Monetary Authority Act (MAA) and certain other regulatory laws of the Cayman Islands, to conduct on-site inspections of licensees such as administrators, banks and trust companies and other regulated entities such as registered persons under the Securities Investment Business Act (SIBA) in the Cayman Islands (together, Regulated Entities). For the avoidance of doubt, the scope of this briefing does not extend to regulated investment funds.
On-site inspections are routinely conducted by CIMA's dedicated On-site Inspections Unit in order to: (i) understand the business activities and operating environment of Regulated Entities; (ii) detect problems of compliance (and any non-compliance) with applicable legislation and/or regulations; and (iii) gather information on any matters which may require policy considerations.
On-site inspections may involve supervisory visits to Regulated Entities' places of business both in the Cayman Islands and overseas; and can be 'full-scope', involving a review of all areas of a Regulated Entity's operations; or limited to specific areas of a Regulated Entity's operations, such as the adequacy of a Regulated Entity's anti-money laundering (AML), combatting terrorist financing (CFT) and countering the proliferation of weapons of mass destruction (CPF) internal control systems, policies and procedures.
Ogier's Regulatory team has extensive experience of regulatory inspections in the Cayman Islands and this briefing is designed to address key FAQs we receive in relation to CIMA on-site inspections.
Frequently Asked Questions (FAQs) in relation to CIMA on-site inspections
What should a Regulated Entity do if it receives notice from CIMA that it is going to be subject to an on-site inspection?
In the first instance, we would generally advise a Regulated Entity to take steps to clarify:
(i) precisely when the inspection will take place and what timeframe CIMA has allotted for the inspection; and
(ii) what the scope and parameters of the inspection will be i.e. will the on-site inspection be a 'full scope' review or limited to a specific area of the subject Regulated Entity's operations, such as AML compliance.
More specifically, a Regulated Entity subject to on-site inspection should confirm:
(a) the way in which the inspection will occur, including whether it will be a 'desktop inspection' (i.e. a remote review of a Regulated Entity's policies and procedures (to be provided to CIMA electronically)), a physical inspection conducted by way of a site visit, or a combination of the two;
(b) whether CIMA proposes to interview any personnel and, if so, precisely which people should be made available; and
(c) any deadlines attached to any specific information and/or documentation requests which will be made by CIMA during the on-site inspection process.
More generally, we would emphasise that Regulated Entities should be as cooperative with CIMA as is practicable during an on-site inspection. Not least, because a Regulated Entity's lack of cooperation during an inspection will be taken seriously by CIMA and will be an exacerbating factor should it identify any non-compliance with applicable laws and/or regulations. Ultimately, a Regulated Entity's level of cooperation may be a relevant factor in CIMA's determination as to whether to take any enforcement action and, if so, the form and extent of such enforcement action.
In this respect, we would recommend that a Regulated Entity subject to on-site inspection establishes, and circulates to all personnel, a clear document management procedure in order to ensure that:
(a) no documentation is destroyed, damaged or concealed;
(b) any documentation or other material that is confidential and/or legally privileged is identified and handled appropriately; and
(c) copies of any documentation requested by CIMA are reviewed and, if appropriate, provided by a suitable external point of contact or team.
We would also generally encourage discussions with CIMA at the outset as to how CIMA would prefer to receive requested information and uploads, which will permit the implementation of a protocol for recording and tracking the transfer of such information. Such a protocol should take into account the precise extent and scope of any document requests, and make provision for CIMA's preferred method of upload, such as secure electronic file transfer.
The above disclosure procedure should also cover, and provide for recording and tracking of, all communications with CIMA throughout the on-site inspection process, including all:
(a) in-person and/or telephone conversations with CIMA; and
(b) emails sent to, and received from, CIMA; and
(c) other written correspondence with CIMA,
together with the date and time of any such communications.
What about internal / external communications? Can a Regulated Entity brief its personnel ahead of a CIMA on-site inspection?
We would recommend that senior management and personnel in all relevant functions be briefed as to how CIMA will conduct the inspection once the scope and parameters of an on-site inspection have been confirmed; and in advance of the on-site inspection itself.
An internal meeting of all relevant personnel, for example, is often a helpful way of prompting the raising and exploring of any potential concerns with management; and may assist a Regulated Entity's management and/or compliance function in identifying any issues which may need to be raised with external counsel and/or CIMA either ahead of, or during, an on-site inspection.
Subject to CIMA's preferences, we would also recommend the nomination of a single point of contact for a subject Regulated Entity, through whom all communications with CIMA should be conducted. This often improves the efficiency of communications with CIMA during an inspection process and, importantly, allows a Regulated Entity more easily to manage its exchange of information with CIMA and to avoid the provision of any inconsistent or inaccurate information. Wherever a single point of contact is designated by a Regulated Entity for the purposes of an on-site-inspection, it is important that CIMA is made aware of this person and notified as to how it should contact them.
Is there anything a Regulated Entity should not do if it receives notice from CIMA that it is going to be subject to an on-site inspection?
It is important to remember that CIMA has broad powers under the MAA, and other regulatory laws of the Cayman Islands, to require Regulated Entities to provide such information and/or documentation as CIMA may reasonably require in connection with the exercise of its regulatory functions (including, where appropriate, the conduct of an on-site inspection); and that a person who, without reasonable cause, fails to comply with such a requirement, or wilfully obstructs a CIMA inquiry made in accordance with CIMA's powers, commits an offence and may be liable to financial penalties (including, potentially, administrative fines levied by CIMA under the Monetary Authority (Administrative Fines) Regulations of the Cayman Islands (Administrative Fines Regulations)).
Any attempt by a Regulated Entity, or any of its personnel, to obstruct, impede or delay a CIMA on-site inspection process may attract (or amplify any already present) enforcement risk; and so it is essential that a Regulated Entity subject to an on-site inspection process takes no steps or actions which could be deemed to be obstructive or otherwise evasive. A Regulated Entity must not, for example, destroy, damage or conceal any documentation requested by CIMA during an on-site inspection. In particular, heavily redacted copies of requested documentation are unlikely to be well received and, accordingly, any such redaction should be carefully considered (with specific legal advice taken in this respect) and a fulsome explanation for any such redaction should be provided to CIMA alongside the relevant redacted documentation.
What happens, and is there anything a Regulated Entity should do, once CIMA has completed an on-site inspection?
CIMA will typically hold a form of 'closing meeting' at the end of an on-site inspection in order to highlight any immediate issues or concerns arising out of CIMA's findings with the subject Regulated Entity. This meeting is designed to provide the subject Regulated Entity with an opportunity to respond to CIMA verbally and to clarify any issues pertaining to any preliminary findings arising out of the inspection. A Regulated Entity should make and keep a comprehensive note of this meeting, including a detailed record of any initial findings, and any related commentary, communicated by CIMA at this stage. CIMA has made it clear that the 'closing meeting' is intended to provide management teams at subject Regulated Entities with an opportunity to explain and discuss any potential findings. Accordingly, management teams at subject Regulated Entities should seek to use the 'closing meeting' to get a clear and detailed understanding of all potential findings. CIMA has also indicated that the 'closing meeting' may be an appropriate environment for management teams to raise with the inspection team any matters in respect of which it appears there is a divergence between CIMA and the Regulated Entity's analysis or understanding of a given matter. For this reason, we would generally recommend that a subject Regulated Entity take legal advice regarding any such anticipated areas of divergence in advance of its 'closing meeting' with CIMA.
Thereafter, CIMA will prepare a draft inspection report and share this with the subject Regulated Entity. This is an important stage in CIMA's on-site inspection process and an opportunity for a Regulated Entity to respond to and comment on CIMA's draft findings as may be required. It also represents a chance for a Regulated Entity to provide further information, if helpful, to CIMA in order to clarify CIMA's findings and/or, if appropriate, satisfy CIMA as to the Regulated Entity's compliance in respect of any relevant findings. CIMA will prescribe a response deadline; and so it will be important for a Regulated Entity to begin preparing its written response (which may require legal input) as soon as possible. Where we have not yet been involved during an on-site inspection itself, this is the stage in the inspection process on which we are most commonly engaged as legal counsel to advise, in particular, to assist with the preparation and submission of a Regulated Entity's written response to CIMA.
What happens if CIMA finds, through an on-site inspection, that a Regulated Entity has failed to meet one or more of its regulatory obligations?
For Regulated Entities, the financial, commercial and reputational risks involved in failing to demonstrate full compliance with their regulatory obligations in the Cayman Islands are significant.
Where CIMA determines, through an on-site inspection, that a Regulated Entity has failed to meet its regulatory obligations, CIMA may, among other things:
(a) require such Regulated Entity to take steps to remediate any failures within prescribed timeframes;
(b) suspend, impose conditions upon or even revoke, a Regulated Entity's license, registration or authorisation to operate in the Cayman Islands; and/or
(c) initiate the applicable process to impose financial penalties (including, in the case of any breach prescribed as 'very serious' under the Administrative Fines Regulations, a fine of up to US$1,219,5121 per breach).
CIMA also routinely publishes details of any disciplinary action taken against Regulated Entities, and so it is important that all Regulated Entities are adequately prepared to manage and respond to an on-site inspection.
Is there anything that a Regulated Entity can do to prepare itself, ahead of time, for a CIMA on-site inspection?
A Regulated Entity is well advised not to await an inspection notice from CIMA before beginning to prepare for an on-site inspection and, if appropriate, engaging external counsel to assist with this.
Compliance and risk assessment 'health checks' can be carried out in advance to test systems, controls, policies and procedures in order to identify any issues or areas for improvement ahead of any inspection. Ongoing monitoring and assessment is a key requirement of the Cayman Islands AML/CFT/CPF regime, and so, depending on the size and complexity of its business, a Regulated Entity would benefit from engaging an independent service provider to conduct a full compliance audit, which would evidence it taking its ongoing review obligations seriously.
It is important to note that Regulated Entities will be expected by CIMA to ensure that their systems, controls, policies and procedures are current, in line with all applicable laws and regulations, and account for and reflect any updates, amendments or changes in this respect.
In this respect, it is also important to note that CIMA will generally not credit a subject Regulated Entity, either during an on-site inspection process or in any inspection report generated therefrom, for policies or procedures (or any updates made to the same) which are put in place (i.e. formally approved and implemented by such Regulated Entity) after such Regulated Entity has received an inspection notice from CIMA. Whilst there may be merit in a Regulated Entity taking steps, if required, to implement and/or update any relevant policies and procedures after receiving an inspection notice from CIMA (and representing, to the extent appropriate, that it has taken pre-emptive remedial action in this respect ahead of its on-site inspection), Regulated Entities would therefore be well advised to regularly review (or engage Cayman Islands counsel to review) their relevant compliance policies and procedures, generally annually, in order to ensure that they are kept in line with all applicable laws and regulatory requirements.
Where any compliance deficiencies are identified through a scheduled audit or review, or otherwise, it is essential that these are brought to management's attention immediately and that appropriate remediation is authorised and implemented as soon as is practicable; and that a comprehensive record of all remedial action taken is kept. Where management has been alerted to compliance issues and not taken immediate action to remediate these, this will be taken into account by CIMA in any on-site inspection report and related enforcement action.
Conclusions
On-site inspections are one of the key ways in which CIMA discharges its compliance monitoring function under the MAA, and regulatory inspections such as these are becoming increasingly common practice in the Cayman Islands.
Being subject to an on-site inspection can however create significant workflow for a Regulated Entity, including the preparation and submission of detailed responses which must be carefully delivered to CIMA in line with prescribed, and sometimes demanding, deadlines.
Any Regulated Entity which is subject to a CIMA on-site inspection should consider engaging external counsel to assist with its preparation, and the inspection process, as early in the process as is practicable. In this respect, our Regulatory team has extensive experience of CIMA on-site inspections and is well placed to assist on these and/or related matters.
Regulated Entities should not wait until they are put on notice of a CIMA on-site inspection before beginning to prepare for one. There are a number of steps that a Regulated Entity can take in order to prepare for an inspection ahead of time, and which may enhance and strengthen its compliance controls, systems and procedures generally.
Footnote
1 Administrative fines are levied in Cayman Islands dollars. The figures quoted are in US dollars at an exchange rate of US$1.00=CI$0.82, rounded up to the nearest US dollar.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
