Over the course of the last year, amendments to the Cayman Islands' Proceeds of Crime Law (2018 Revision) and Anti-Money Laundering Regulations (2018 Revision) have grabbed the attention of financial services stakeholders and, once again, thrust regulatory compliance into the spotlight.

The amendments to the Cayman Islands' anti-money laundering and countering the financing of terrorism (AML/CFT) regime have generally made explicit what was previously implicit, and were largely designed to bring the letter of the Cayman Islands' regime into line with the Financial Action Task Force (FATF) recommendations.

While much attention has been given to the extension of the application of the AML/CFT framework to all "relevant financial businesses", and in particular to entities that conduct the business of "investing, administering or managing funds or money on behalf of other persons" or "investment related insurance" in or from the Cayman Islands, and to the requirement to appoint natural persons as anti-money laundering (AML) officers, the formal adoption of a risk-based approach in the primary legislation ensures that measures to prevent or mitigate money laundering and terrorist financing are proportionate with the risks that have been identified.

A risk-based approach, through a risk assessment, is an essential foundation in allocating AML/CFT resources efficiently to the perceived threats. Importantly, there should be sufficient breadth and depth devoted to potential threats and vulnerabilities, as well as to their consequences. It is worth noting that AML/CTF risks are inherently difficult to describe or to measure in quantifiable or numerical terms. Therefore, a risk assessment will involve making judgements about these perceived issues.

While the new regime requires each entity to perform risk assessments on its investors/clients, it also requires the entity to conduct a risk assessment on itself. Failure to comply with this requirement for an assessment of its own risks under the Anti-Money Laundering Regulations can result in the entity facing criminal sanctions under the Regulations or administrative fines under the newest piece of legislation to the regime, the Monetary Authority (Administrative Fines) Regulations 2017. Failure to conduct an internal risk assessment would be considered a serious breach to which a fine not exceeding CI$50,000 for an individual or CI$100,000 for a body corporate may apply

As CIMA's licensees and registrants vary significantly in the types and sizes of business, a single risk assessment model cannot fit all but general guidDorothy Scott and Sandra Edun-Watler, Walkers How to Evaluate Your Risk 89 ance has been provided in the Guidance Notes. While there is no single standard for how thorough or complex a risk assessment must be, what is clear is that a risk assessment needs to be carried out and documented

Risk covers a wide category of factors and it needs to be clear that the entity needs to assess and measure its risk specific to money laundering and terrorist financing threats.

Although no matrix has been provided on how to assess this type of risk, risk should still be categorised. As all risks are not created equal, various factors can be applied to different categories of risk. Before an overall assessment is done, all relevant risk must be considered along with the appropriate level of mitigation to be applied. The entity must make its own determination on how it weights each individual factor and also take into consideration the relevance of each different risk factor that applies in context to the entity.

Entities should adopt risk assessment policies and procedures appropriate to their size, nature and complexity. In order to identify and assess inherent risk faced, entities need to examine the four key areas of money laundering/terrorist financing risk: products and services, delivery channels, customer types and geographic locations in which investors/clients operate.

An entity needs to take into account the amount of risk tolerance it is willing to accept, part of which is determining its risk appetite. This is one of the most important factors to take into account when looking at the overall business of the entity. It should always be borne in mind, however, that there are no prohibitions on how an entity chooses the business it intends to take on. The entity's risk appetite will severely impact risk mitigation measures and controls it employs. These must be commensurate with the risks associated with that type of business. This is achieved through monitoring of the specific type of business. One challenge that arises is trying to apply an objective standard to something that can be very subjective.

Assessments must be kept up to date, and although no guidance has been given on how frequently these should be done, the performance of an internal audit may help to determine how often this requirement should be completed.

Finally, it is crucial not to forget that even when all of these factors have been taken into account, the most important point to ensure is documenting how the entity has assessed its risk. Without this, the entity has no evidence that all the factors have been taken into account and that an internal assessment requirement had been complied with.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.