With the impending release of the Cayman Islands Monetary Authority's ("CIMA") annual anti-money laundering ("AML") survey ("AML Survey") on 1 June 2025, it is important for all entities registered ("SIBA Registered Persons") or licensed in the Cayman Islands under the Securities Investment Business Act (As Revised) ("SIBA") to be aware of their regulatory compliance obligations.

When completing the annual AML Survey, all SIBA Registered Persons should also be mindful of CIMA's areas of focus. Some of these focus areas were set out in CIMA's supervisory information circular issued on 8 May 2025, outlining CIMA's key findings ("Key Findings") from onsite inspections of SIBA Registered Persons ("Inspections").

In this update, we further discuss CIMA's AML Survey and Inspection Key Findings, but first we provide a reminder of the activities and permissions of SIBA Registered Persons.

Regulatory Compliance Obligations

SIBA regulates 'securities investment business' ("SIB") in the Cayman Islands. This includes the activities of securities managers, securities advisors, securities arrangers and broker-dealers.

Entities licensed under SIBA to carry out such activities are broadly permitted to carry out retail business. However, certain categories of person (broadly, either entities already licensed by a recognised overseas regulatory authority to carry out SIB within that jurisdiction, or those conducting SIB either intra-group or for high net worth and/or sophisticated persons) may instead apply for registration as SIBA Registered Persons.

While some of the ongoing obligations of SIBA Registered Persons are lighter touch compared with entities licensed under SIBA, SIBA Registered Persons are required to have systems and controls appropriate for the size, complexity, structure, nature of business and risk profile of its operations as a financial services provider.

In particular, we highlight the following areas requiring compliance:

AML, Countering Terrorism Financing ("CTF"), Countering Proliferation Financing ("CPF") and Targeted Financial Sanctions ("TFS") requirements

CIMA's Rules and Statements of Guidance on (i) Corporate Governance, (ii) Internal Controls, (iii) Outsourcing, (iv) Cybersecurity and (v) Nature, Accessibility and Retention of Records

Pursuant to these regulatory obligations, SIBA Registered Persons are required to adopt, implement and maintain various written policies and procedures and documented risk assessments and compliance logs.

SIBA Registered Persons also have regulatory obligations to:

provide Cayman Islands-specific AML/CTF/CPF/TFS training to their directors, senior management, staff and AML officers annually;

hold an annual board meeting;

conduct AML/CTF/CPF/TFS audits; and

conduct Internal Controls audits.

CIMA Annual AML Survey

CIMA monitors SIBA Registered Persons' compliance through its detailed annual AML Survey, in which CIMA elicits information from all SIBA Registered Persons. This is for both CIMA's own information gathering and risk assessment requirements and CIMA's monitoring of SIBA Registered Persons' compliance with the regulatory obligations mentioned above.

CIMA Inspections

CIMA also has an ongoing Inspection programme to ensure regulated entities comply with applicable laws and regulations. From 2020 to March 2024, CIMA inspected nearly 200 SIBA Registered Persons.

CIMA's Inspection process is typically very detailed and spans several months. CIMA will inspect a SIBA Registered Person's records, including the entity's written policies and procedures, documented risk assessments and compliance logs. CIMA will interview and meet the directors, senior management and AML officers of the SIBA Registered Person.

Any breach or deficiency would be included in CIMA's Inspection report, and SIBA Registered Persons would be required to take remedial actions within a prescribed timeframe. CIMA may also take enforcement action by imposing fines and releasing public notices.

In that context, the Key Findings are instructive as they indicate the potential areas of focus in future Inspections, and accordingly provide SIBA Registered Persons with an opportunity to address them now.

CIMA noted that there was continuing room for improvement in the following areas:

Customer due diligence ("CDD") and ongoing monitoring documentation

Independent AML/CTF/CPF/TFS audit function

Record keeping including declined business log

Internal reporting of suspicious activity

Assessing ML/TF/PF/TFS risks and applying a risk-based approach

Outsourcing policies, procedures and risk assessments in relation to outsourced AML/CTF/CPF/TFS compliance functions

Board oversight of AML/CTF/CPF/TFS compliance functions

Employee AML/CTF/CPF/TFS training and awareness programme

In particular, in relation to CDD and risk assessment findings, CIMA noted the following weaknesses (all in relation to documentation):

Sanctions screening documentation

Risk assessment documentation

Missing or inadequate identification and verification documentation

Periodic review monitoring documentation

Documentation of basis for applying simplified CDD measures

Implementation of enhanced CDD measures

Documentation of source of wealth and/or funds

