Update

Top 'take-aways' from the 2025 Mourant Cayman Regulatory Conference

On 27 February 2025, Mourant held its annual Cayman Regulatory Conference at the Hotel Indigo, Grand Cayman. The conference included an overview of the Cayman Islands Monetary Authority's priorities for 2025, an update on the implementation of phase 2 of the virtual asset service providers regime, a presentation on business risk assessments, a presentation on regulatory enforcement and recent cases, a session on preparing for inspections by the Department for International Tax Cooperation, a conversation with the Financial Reporting Authority on suspicious activity reporting and a panel session on the beneficial ownership regime.

1   CIMA updates – Priorities and the 2027 FATF mutual evaluation

Rohan Bromfield, Head of the Fiduciary Services Division at the Cayman Islands Monetary Authority (CIMA) provided a high-level summary of the regulator's priorities for the coming year. These were summarised as collaboration and outreach, ongoing prudential supervision and monitoring, anti-money laundering and countering the financing of terrorism (AML/CFT), including as relates to preparation for the 5^th round mutual evaluation by the Financial Action Task Force (FATF), digital transformation and virtual assets and operational excellence.

The key focus for CIMA is on preparing the jurisdiction for the 5^th round mutual evaluation and it is of fundamental importance that industry and the regulator work closely together on this. To that end, CIMA emphasized that they were keen to work in partnership with industry and encouraged participants to reach out to them and to engage in constructive dialogue. 

CIMA will continue to conduct AML/CFT onsite inspections in 2025, together with focussing on training and development on the risk-based approach to AML/CFT compliance.

Innovation and digital transformation are another area of focus for CIMA. Whilst keen not to stifle innovation, it is imperative for CIMA to continue to monitor new technologies and the associated risks. All licensees must have appropriate risk management frameworks for cybersecurity risks. CIMA is also working to improve its own technological and digital capabilities to support efficient and effective regulation.

CIMA is placing an increased emphasis on industry outreach, and some recent and upcoming circulars, thematic reviews and training on supervisory measures were highlighted. The Corporate Governance Thematic Review Report was published in November 2024 and the AML/CFT Thematic Review will be issued later this year. Recent supervisory circulars, published in January 2025 and October 2024, have respectively covered the Importance of a Comprehensive Crisis Management Framework and Complaints-handling and Regulatory Expectations.

2   Phase 2 of the Virtual Asset Regulatory Framework – What's new and what's next

Samuel Jacques-Cloutier, Senior Policy Advisor at the Ministry of Financial Services and Commerce and Isabel Gumeyi, Head of the Virtual Asset Service Providers (VASP) and FinTech Innovation Unit at CIMA gave a presentation on the timing of the implementation of phase 2 of the VASP framework. Phase 2 introduces a licensing regime for custodians and trading platforms, as originally set out in the Virtual Asset (Service Providers) Act (as amended, the VASP Act). The Commencement Order, which will bring these phase 2 provisions into force on 1 April 2025, has now been published in the Cayman Islands Gazette.

The Virtual Asset (Service Providers) (Amendment) Act, 2024 which also comes into force on 1 April 2025 (except for the provisions relating to sandbox licensees) will further amend and clarify various provisions of the VASP regime. It will introduce a revised definition of 'operator' to better establish who exerts control and should therefore be licensed under the VASP Act. It will also:

• introduce a requirement for a VASP to have at least three directors (one of whom must be independent); and
• bring into force, waiver provisions under the VASP Act that allow a supervised person to apply to obtain a waiver for registration or a licence where the entity meets the waiver requirements.

Additionally, the amendments will introduce a potential audit requirement for entities registered under the VASP Act depending on the complexity and the size of the virtual asset services provided.

The Virtual Asset (Service Providers) (Amendment) Regulations, 2025 will come into force on the same date, to set out the fees for licensing under the VASP Act and provide that local companies wishing to engage in providing virtual asset services will be eligible for a 90% discount on licensing fees.

It is envisioned that there will be a further phase 3 of the VASP framework which could include the innovation sandbox element of the VASP Act and a framework for issuances (eg, ICOs). There may also be further amendments in relation to tokenised funds.

As relates to the licensing process under phase 2, existing VASP registrants providing virtual asset custody and trading platform services will have 90 days from 1 April 2025 to submit their application and are encouraged to undertake a gap analysis to consider how to prepare for the additional compliance requirements. Once a VASP registrant is licensed, the previous registration will be cancelled. New applicants will apply via the online REEFS platform.

A Rule and a Statement of Guidance on Virtual Assets Custodians and Trading Platforms were issued in December 2024 and CIMA will be issuing additional regulatory measures and guidance to assist both existing registrants as well as new applicants with the licensing process and on ongoing obligations.

CIMA continues to focus on strengthening the VASP Supervisory framework and as part of ongoing VASP monitoring initiatives, will be performing onsite inspections and regulatory meetings. CIMA will soon be issuing an anonymised report at the completion of the targeted Desk Review.

3   Business risk assessments - What does 'good' look like?

Tony Shiplee, Director at Mourant Consulting gave an insightful presentation on the various elements of business risk assessments (BRAs) and set out examples of what a 'good' assessment should look like. He also shared some key considerations relating to covering proliferation financing risks in the assessment.

A BRA is a key strategic document which aims to:

• identify and assess the levels of exposure of a business to different risks that it is exposed to (ie, money laundering (ML)/terrorist financing (TF)/proliferation financing (PF) and regulatory);
• protect the business from those risks by establishing the formal approach to the ongoing management of such risk; and
• assist in identifying the measures that are in place, or need to be enhanced or implemented, in order to mitigate those risks.

The BRA is a tool which helps businesses identify and assess both their levels of exposure to financial crime risks, and the controls that are in place, or need to be implemented, to appropriately manage those risks. It should be a living and breathing document that senior management are actively involved in the production of and understand. Senior management should also revisit the BRA periodically or when there is a material change in risk at a national, sectoral or individual entity-level.

From a BRA presentation perspective, a spreadsheet is the clearest way of documenting and rating multiple risks, the reason that a risk might not be applicable and (where appropriate) how risks are mitigated by controls that are in place. The functionality within spreadsheets can also help to calculate and present inherent and residual risk, especially for more complex businesses.

A good BRA should include:

• the organisational structure of the business and whether this gives rise to any risks;
• details of the customers and their geographical exposure, and the risks that this may create;
• details regarding risks associated with the products and services and associated delivery channels;
• any exposure that the business might have to physical cash usage and its associated risk;
• the criteria for obtaining information from customers where unusual transactions may arise;
• how the business will remain up to speed with evolving financial crime risks and typologies;
• risks arising as a result of exposure to third parties, such as introducers of business or intermediaries;
• arrangements relating to staff anti-financial crime training and awareness (and testing of these arrangement), specifically with regards to:
  • the reporting of suspicions internally;
  • the process followed to externalise suspicious activity reports;
  • the MLRO’s role; and
  • how to avoid tipping off;
• what systems and controls, including policies and procedures, the business does or does not have in place to mitigate risks; and
• a view on inherent and residual risks once controls have been applied.

The BRA is a good way to demonstrate that the business understands its financial risks and has commensurate measures in place in order to manage them. With the onsite element of the 5^th round mutual evaluation taking place in late 2027, senior management and other key individuals who may be interviewed by the assessors should be prepared to talk to the contents of their BRA and show assessors that they know and understand their risks and mitigants as these are a core focus of Immediate Outcome 3 (for Financial Institutions and VASPs) and Immediate Outcome 4 (for the DNFBP community).

The session also considered PF risks in comparison to those for ML/TF and looked at the similarities and differences between method and mitigation. Businesses should be treating PF risk as a separate risk within their BRAs, alongside money laundering and terrorist financing risk. It should also be noted that there is now a statutory requirement under regulation 8 of the Anti-Money Laundering Regulations (as amended, the AMLRs) for persons carrying our relevant financial business to identify, assess and understand their PF risks.

4   Regulatory enforcement: Lessons from recent cases

Hector Robinson KC, Partner at Mourant considered the recent wave of regulatory enforcement and examined the lessons that have emerged. Since the introduction of the administrative fines legislation in 2017 and following the low rating received by the Cayman Islands in the 4^th round mutual evaluation for immediate outcome 4 (as relates to preventative measures), the number of CIMA onsite AML/CFT inspections and enforcement actions has vastly increased. In particular, there has been a significant increase in actions under the Directors Registration and Licensing Act (as amended).

The session set out the various methods for challenging CIMA's enforcement decisions, including by:

• internal review;
• judicial review;
• statutory appeal; and
• statutory appeal by way of judicial review.

It was noted that on an appeal, the court will consider the merits of the decision whereas judicial review is concerned with the decision-making process itself and not the merits. On an appeal, the court may uphold, modify or set aside a decision. The court may also substitute its own decision for the original decision.

As regards judicial review, the court will consider whether the decision is lawful, procedurally fair, rational or proportionate and whether adequate written reasons for the decision have been provided. The court may then decide to uphold the decision or quash the decision (and remit it to the decision maker). It will not substitute its own decision for that of decision-maker.

Some recent cases that have reached the courts were highlighted, with the observation that if you plan to challenge a CIMA decision, it is better to challenge earlier in the process rather than later.

5   DITC compliance enquiries and inspections - How to prepare

Louise Somers, Head of Tax Reporting Services at Mourant Governance Services presented a session on effectively managing regulatory compliance interactions with the Department for International Tax Cooperation (DITC). This practical presentation highlighted key areas to focus on and pitfalls to avoid when responding to enquiries or preparing for a visit from the regulator.

Current CRS and economic substance position

As part of the ongoing effectiveness review on the implementation of the common reporting standard (CRS) globally, the Cayman Islands underwent an onsite review in January 2024. This second round review is particularly focussed on data quality and accurate reporting of tax identification numbers (TINs). The DITC is also required to complete an annual OECD questionnaire with details of their compliance strategy, activities and statistics. It is therefore key for industry to ensure that the data submitted is correct in order to avoid a bad rating in the effectiveness review of the jurisdiction and the related reputational damage.

In light of this, the Mourant Tax Reporting Team have noticed an increase in compliance actions taken by the DITC (particularly in relation to the CRS) and it is expected that this trend will continue, together with a related increase in CRS enforcement activity.

The Cayman Islands economic substance regime recently received the highest rating of 'no issues identified' for effectiveness in practice for the year 2023 from the Forum on Harmful Tax Practices (FHTP).  The FHTP economic substance monitoring review takes place on an annual basis and the Mourant team therefore expect economic substance compliance enquiries to continue.

DITC compliance enquiries

The most common types of DITC compliance enquiries relate to data quality, misclassifications, missed deadlines, failure of the economic substance test and comprehensive reviews/desktop audits for the CRS.

The following tips were recommended for responding to a compliance enquiry:

• provide a timely and complete response;
• ensure the compliance reference number is included;
• respond only to the email address indicated in the notice;
• ensure the principal point of contact and authorised person information is up to date;
• understand that the DITC has a strict internal process that must be followed; and
• remember the volume that the DITC are dealing with and set expectations.

DITC compliance notices

Compliance tips were given to assist in avoiding the following common triggers for DITC compliance notices:

• CRS returns with missing, incorrect or incomplete dates of birth, addresses or TINs;
• incorrect or conflicting information submitted on the CRS compliance form;
• a large variance in the number of reportable accounts when compared year on year;
• a mismatch between DITC portal registrations and other available sources (ie, CIMA, IRS GIIN list, ESN data); and
• missed deadlines for the CRS XML Report, CRS Compliance Form, ES Return or TRO Form.

Mourant's Tax Reporting Team advise that best practice is to be mindful of all DITC announcements and ensure that, when reviewed together, CRS filings and the CRS compliance form provide a consistent picture of a fund's NAV.

In October 2024, the DITC sent out over 1,000 missed CRS deadline breach notices. 'Financial Institutions' (FIs) receiving such a notice had until 20 January 2025 to remedy the breach and submit a representation. Where the FI has completed the remediation steps and submitted a representation, the DITC may consider reducing the proposed penalty. The DITC have until 31 July 2025 to issue a penalty to FIs which have failed to comply.

CRS comprehensive reviews

In November 2024, the DITC commenced their CRS comprehensive reviews (ie, CRS audits). These reviews consist of a three-stage process: initial notice, request for information letter and meeting notification letter.

The following comprehensive review tips were given:

• consider carrying out an internal review or engaging a specialist service provider to do a health check or pre-audit to verify compliance with all obligations in the CRS Regulations;
• the directors should ensure FIs engage reputable AEOI service providers and ask pertinent and probing questions at a board meeting; and
• remember that the CRS Regulations can impose penalties directly on directors.

If you are interested in signing up for Mourant's online AEOI Compliance Training and AML Training, please reach out to one of the contacts listed in this Update or email ClientTraining@Mourant.com.

6   Suspicious activities reporting - a discussion with the FRA

Peter Hayden, Partner at Mourant and RJ Berry, Director of the Financial Reporting Authority (FRA) discussed suspicious activity reports (SARs), focussing on the importance of timely, high-quality reporting and outlining expectations for financial institutions. They also considered future trends, such as technological advancements and evolving financial crimes, stressing the need for continuous improvement.

The FRA is the Cayman Islands Financial Intelligence Unit responsible for the receiving, requesting, analysing and disseminating financial information disclosures concerning the proceeds of criminal conduct, money laundering, the financing of terrorism or suspicions of any of those crimes. Since 2017, the FRA is also responsible for ensuring the implementation of targeted financial sanctions with respect to terrorism, terrorism financing, proliferation, proliferation financing, and other restrictive measures related to AML and combatting the financing of terrorism and proliferation from and within the Cayman Islands.

One of the main challenges faced by the FRA is the volume of SARs and cases each year, RJ confirmed plans to address this challenge by hiring more staff. The FRA also places a continuing emphasis on keeping up with international standards, including the FATF Methodology for the 5^th Round of mutual evaluations, as well as the action taken to address the key recommended actions from the 4^th round Mutual Evaluation Report.

The discussion focussed on recent changes to the Proceeds of Crime Act (as amended, POCA) which came into effect on 2 January 2025 to introduce the defence against money laundering (DAML)/Consent regime. In addition to filing a SAR, the amendments to sections 133, 134 and 135 of the POCA now require SAR filers to have the consent of the FRA to ‘commit the act’. The FRA intend to publish guidance on compliance with the DAML/Consent regime in due course. Whilst we await the relevant regulations (for which consultation drafts will be published shortly), the Industry Advisory on the DAML/Consent regime issued by the FRA on 13 January 2025 will serve as interim guidance. 

The DAML regime has not totally replaced the previous SAR regime, and SARs may be a DAML or non-DAML SAR depending on the facts. When filing a DAML SAR, reporting entities should indicate in AMLive or their email that it is a DAML SAR to allow for these cases to be prioritised. A DAML SAR should state in the ‘Reason for Suspicion’ section why a DAML/Consent request is being made and include full details of the activity that the DAML/Consent is being sought for.

The DAML regime introduces a notice period, during which the DAML/Consent request has to be responded to failing which the applicant is deemed to have consent. The Notice Period will be seven working days, commencing on the first working day after a SAR containing a DAML/Consent request is submitted to the FRA, or such longer period as the Director may determine where the Director is of the view that an amendment to the SAR or DAML/Consent request is required because it is incomplete.

If consent is refused, there is a 30-day Moratorium Period commencing on the first working day after the FRA provides notice that the DAML/Consent request has been refused. during which the activity that is the subject of the request must not be carried out. It is anticipated that further action will be taken by law enforcement during the Moratorium Period, such as property freezing orders or restraint orders. SAR filers should be mindful of the offence of Tipping Off set out in section 139 of POCA.

It was noted that at present the jurisdiction is already in the period for demonstrating effectiveness for the 5^th round mutual evaluation of the Cayman Islands.  As FATF Recommendation 4 requires the introduction of the DAML regime, it is crucial that we successfully demonstrate the implementation of the regime.

7   Beneficial Ownership Regime forum

Michael Klein, Editor at Cayman Finance moderated a discussion with a panel which included Hon. André Ebanks, Member of Parliament, Karen Watson, Chair of the Cayman Islands Fund Administrators Association and Sara Galletly, Partner at Mourant. The panel covered the Cayman Islands' beneficial ownership regime from several different angles, with our panellists sharing their experiences and expertise in response to open forum questions submitted by the audience.

Legitimate interest access

By way of background, the panel discussed the original aim of the Beneficial Ownership Transparency Act, 2023 (BOTA), which was to consolidate the beneficial ownership legislation into one act and allow for full transparency. During the legislative process, the Court of Justice of the European Union issued an important decision in November 2022 in relation to a Luxembourg case on public access to information published in a beneficial ownership register. This judgment provided that the right to unfettered access, with no requirement to demonstrate a legitimate interest, infringed Articles 7 and 8 of the EU Charter of Fundamental Rights.

Following this case and in recognition of rights contained in the Cayman Islands constitution, the Beneficial Ownership Transparency (Legitimate Interest Access) Regulations, 2024 (the LIA Regulations) were drafted to permit access to certain categories of person on the basis that the individual has a legitimate interest in that information for the purpose of preventing, detecting, investigating, combating or prosecuting money laundering or its predicate offences or terrorist financing. The LIA Regulations came into force on the day following the conference, being 28 February 2025.

The panel noted that the LIA Regulations allow an application to relate to multiple connected persons where the underlying entities are alleged to be involved together in money laundering or terrorist financing.

Investment funds

As expected, virtually all registered funds are electing to take the alternative route to compliance and appoint a contact person for beneficial ownership purposes, rather than making monthly submissions in a beneficial ownership register (BOR). However, it is important to remember that, under the alternative route to compliance, a fund is still required to have the same information available as it would if it were maintaining an actual BOR.

From the legal perspective, the analysis of indirect control is proving complex as the legislation and the Guidance are geared towards simple structures, whereas structures can be more complex in practice. The Guidance is helpful on the role of senior managing officials and contact persons.

Mourant would like to thank our external speakers for their part in making the regulatory conference such a successful event. Please click here to read our latest regulatory updates and guides. If you are interested in Mourant's online AEOI Compliance Training and AML Training, please reach out to one of the contacts listed in this Update or email ClientTraining@Mourant.com.