KEY TAKEAWAYS
- Conducting an independent AML audit at a frequency based on the nature, scale and complexity of the entity is a requirement under the AML Regulations.
- AML audits are an important component of the control environment to ensure adherence to the standards and obligations set out under the AML Regulations.
- There is an increased scrutiny by Cayman Islands Monetary Authority on compliance with the AML audit obligation as well as the broader AML/CTF/CPF/Sanctions regime.
Frequent audits will warrant a controlled environment where entities adhere to the standards and obligations set out under the AML Regulations.
Introduction
All financial service providers ("FSPs") subject to the Cayman Islands Anti Money Laundering Regulations (as amended) (the "AML Regulations") have initial and ongoing customer-related obligations and must implement internal controls. These include an independent audit function ("AML Audit") to periodically test a FSP's policies, procedures, systems and controls for anti-money laundering, counter-terrorist financing, counter-proliferation financing and sanctions compliance (collectively "AML/CTF/CPF/Sanctions"). The Cayman Islands Monetary Authority ("CIMA") has emphasised the importance of the obligation to conduct independent audits in many publications and during inspections.
Is there a legal requirement to have an AML Audit and which entities are in-scope?
The AML Regulations require all FSPs on a mandatory basis to have an effective risk-based independent AML Audit function. FSPs include investment managers, advisors, dealers and arrangers, mutual funds, private funds, fund administrators, trust and corporate service providers, banks, certain insurers, virtual asset service providers, money service businesses, estate agents, precious stones and metals dealers and others. Adherence to the AML Regulations is required for FSPs adopting group standards as well as those operating in the Cayman Islands only.
What is an AML Audit?
The AML Audit should test not only the content of the FSP's policies and procedures but also implementation in practice. In this context the term "audit" is used by CIMA in the sense of testing the efficacy and efficiency of the FSP's AML/CTF/CPF/Sanctions systems, policies and procedures and is separate from and different to internal audit requirements more generally or financial audits.
How frequently must an FSP conduct an AML Audit?
The AML Regulations do not prescribe the content or frequency for the AML Audit but CIMA's Guidance Notes on the Prevention and Detection of Money Laundering, Terrorist Financing and Proliferation Financing in the Cayman Islands provide that the AML Audits should be regular and commensurate with the FSP's nature, size, complexity and the risks identified during its documented AML/CTF/CPF/Sanctions risk assessment.
Who is responsible for ensuring that AML Audits are conducted?
The FSP's board, managing member general partner or trustee, as the case may be, is ultimately responsible for the FSP's compliance with the AML Regulations, including the obligation to have an appropriate effective risk-based independent AML Audit function. A FSP can demonstrate clearly apportioned roles for countering financial crime where its anti–money laundering compliance officer ("AMLCO") or other audit, compliance or review function ensures that regular AML Audits take place and that any AML Audit report is presented directly to the board or equivalent or relevant committee.
Who should conduct the AML Audit?
AML Audits do not necessitate engaging a professional audit firm. However, an FSP's AMLCO, money laundering reporting officer and deputy money-laundering reporting officer will not be considered as independent. In-house compliance teams with any operational involvement will also not meet the expected independence criteria. Law firms or compliance consultants can provide a solution for entities without in-house internal audit capabilities. The AML Audit function can be outsourced, subject to compliance with CIMA's outsourcing requirements, and for FSPs with no or few staff, outsourcing is the preferred approach.
What does an AML Audit involve?
The AML Audit should test the FSP's AML/CTF/CPF/Sanctions systems, including:
- testing the overall integrity and effectiveness of the AML/CTF/CPF/Sanctions systems and controls including compliance with laws and regulations;
- assessing the adequacy of internal policies and procedures including customer due diligence measures; record keeping; third party relationships (such as eligible introducers and nominees) and transaction monitoring,
- testing transactions in all areas of the FSP, with emphasis on high–risk areas, products and services;
- assessing employees' knowledge of the laws, regulations, rules, guidance, and policies and procedures and the adequacy of related training programmes; and
- assessing the adequacy of the FSP's process of identifying suspicious activity including screening lists.
What are the penalties for non-compliance?
Any legal or natural person who breaches the AML Regulations commits an offence and is liable on summary conviction to a fine of up to approximately USD 600,000 or on indictable conviction to an unlimited fine and imprisonment for two years. There are also administrative fines that can be imposed by CIMA through inspections or otherwise.
CIMA's priorities
CIMA has indicated through inspection derived data that some FSPs are not complying with the requirement to undertake an independent AML Audit. This has led to an increased scrutiny on compliance with the independent AML Audit obligation and broader AML/CTF/CPF/Sanctions regime. This included specific statistics showing adherence to the requirement by fewer than 50% of inspected entities. Follow up industry engagement circulars and mandatory surveys have similarly reinforced CIMA's focus on this issue.
Why is it important to implement AML Audits?
A failure to conduct independent AML Audits amounts to non-compliance with the AML Regulations. Given the regulatory landscape and the increasing number of administrative fines, conducting regular independent AML Audits will allow a FSP to identify any compliance issues and remediate in good time.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.