A number of regulatory developments have been introduced into the Cayman Islands over the last 12 months as it takes further steps to ensure the transparency and integrity of its financial funds industry stands up to global scrutiny.
Many of these regulatory changes do not necessarily impact fund managers directly, but more so their service providers, although the Data Protection Law, 2017, which was published in the Cayman Islands Gazette on June 2017, will impact all Cayman entities in respect of how they process and protect personal data.
Data Protection Law, 2017
The Data Protection Law is due to come into effect in January 2019 and will enable the jurisdiction to comply with data protection standards (in the form of GDPR) in Europe.
“At the moment, it is possible to transfer fund data from the EU to the Cayman Islands or other jurisdictions outside of the EU as long as one of a number of tests are passed; the most common being consent to transfer data to somebody outside the EU.
“There will be no need to obtain consent before data is transferred, however, if the jurisdiction to which data is being transferred is deemed to have equivalent data protection measures to the EU. By implementing the DPL, the Cayman Islands are beginning the process towards achieving “equivalence” status,” explains Lucy Frew, Partner at Walkers and head of its Regulatory & Risk Advisory Group.
Before DPL comes into effect, a working group consisting of both private sector leaders and government employees will review the law to help draw up plans to implement the paradigm shift in local privacy protection.
The working group will be chaired by Acting Information Commissioner Jan Liebaers. The seven-member panel will include local attorneys Peter Broadhurst, Tim Dawson, and Peter Colegate, as well as Cabinet Office staffers Nadira Lord and Garfield Ellison, and Paul Morgan of OfReg, Cayman’s utilities and commodities regulator.
“The Cayman Islands legal industry has properly prepared for data protection,” comments Sean Inggs, Fund Director at International Management Services Ltd, which provides directorship services to Cayman funds.
“The law is similar to the main elements of the UK’s Data Protection Act, 1998 and GDPR. A Cayman data protection ombudsman will be established. Most of the obligations on data controls will all be applicable here in Cayman, which is good because it will keep the jurisdiction in line with European regulatory standards.”
Data protection has become a hugely important issue for offshore financial centres in the wake of high-profile cybersecurity breaches in Panama and Bermuda. The ability to protect sensitive data on HNW investors, fund investments, deal activity, etc, has rapidly become a top priority.
“This is an area that I think many have at the top of their priorities list for 2018,” says Frew. “Cyber attacks and data leaks are a worldwide phenomenon and obviously not limited to just the hedge funds industry or offshore jurisdictions. The sorts of attacks happening today means that the risks involved are previously unimagined.
“We have invested an enormous amount of resources in technology and specialist cybersecurity staff. Maintaining the security and confidentiality of client information is of the greatest importance to us.”
More than anything, hedge fund businesses are concerned about the risks a jurisdictional cybersecurity attack could have on their commercial reputation in the marketplace.
Although the two are separate issues, there is a cybersecurity element to DPL regulation in terms of how Cayman entities process data and the controls they have in place to ensure sensitive data does not get damaged or leaked.
“GDPR will have an impact on any Cayman Islands hedge funds that have touch points with the EU – for example, service providers, actual or prospective investors, marketing contacts or representative offices. It is conceivable that some hedge funds will have no touch points with the EU and will not be caught within the scope of GDPR. If a Cayman Islands hedge fund is within scope of the GDPR, it will have to comply with all its requirements. As the DPL is based on UK and EU data protection legislation, its definitions and concepts will look familiar to UK or EU managers or service providers to Cayman Islands hedge funds,” she says.
CIMA increases enforcement powers
Another regulatory update is the Monetary Authority (Amendment) Law, 2016, which was passed on 24th October 2016 and came into force on 15th December 2017, the same date as the Monetary Authority (Administrative Fines) Regulations, 2017 were published and came into force.
The Monetary Authority (Amendment) Law imposes a range of penalties from CI$5,000 for minor breaches to CI$100,000 for individuals and CI$1 million for entities for very serious breaches. Fines for ongoing minor breaches can be applied at intervals on a continuing basis up to a CI$20,000 cap.
This is a positive step forward for Cayman and sends out a clear signal that greater scrutiny will be placed on good governance and adoption of best practices among Cayman entities. To further underscore this drive towards greater enforcement and transparency, Cayman also introduced a Beneficial Ownership regime in 2017, which is largely driven by requirements to come into line with UK standards.
All Cayman companies are now obliged to report on who the beneficial owners of their entities are to a central body controlled by the Cayman regulator, CIMA.
“The Monetary Authority (Amendment) Law helps to enhance the jurisdiction and can serve to support enhanced governance,” comments Tammy Jennissen, Senior Vice President, Maples Fiduciary Services, a division of MaplesFS.
“It doesn’t change the way we do business, however. When the Statement of Guidance (SoG) was issued under the Mutual Funds Law, it highlighted expectations of fund directors, many of which had long been standard procedure for us.”
Abali Hoilett, Senior Vice President, Maples Fiduciary, believes that the SoG brings a more consistent approach to fund governance. “It raises the bar for Cayman directors and underscores the importance of fund governance and the critical role it plays in Cayman’s alternative investment funds industry.”
The Monetary Authority (Amendment) Law now allows CIMA to impose fines for regulatory breaches. It is set out to apply to various regulatory laws including the Development Bank Law (2004 Revision) and the Directors Registration and Licensing Law, 2014 among others. To the extent that those laws do not impose fines, this new legislation instantly provides CIMA with the ability to issues financial penalties.
“The FCA and SEC have long had the ability to impose fines; now CIMA will have the power to do so as well,” says Frew. “Previously, there were too few penalty options for CIMA; this now gives it more flexibility to right-size the penalty to the offence. The regulator has always been able to impose sanctions but it never had the ability to impose financial sanctions at a range of different levels in the way that it has now.”
Proceeds of Crime Law and Anti-Money Laundering legislation
A third piece of regulation recently introduced relates to changes in the Proceeds of Crime Law and Anti-Money Laundering legislation.
This explicitly brings private equity funds and hedge funds that weren’t formerly registered with CIMA within the AML regulatory regime. Anti-Money Laundering Regulations, 2017 (‘AML Regulations’) came into force on 2nd October 2017. The thrust of the changes to the AML Regulations has been to close gaps that remained between Cayman’s robust anti-money laundering regime and the Financial Action Task Force 2012 recommendations (FATF Recommendations).
In terms of ensuring compliance with the AML Regulations, Gary Smith, a partner in the Corporate and Investment Funds Group at Loeb Smith Attorneys, says that a Cayman fund already registered with and regulated by CIMA will typically have delegated the maintenance of AML and Combatting of Financial Terrorism (CFT) procedures on behalf of the Fund to a fund administrator.
“Managers should therefore check that the scope of delegation to their fund administrator is sufficiently broad to cover the requirements of the AML Regulations (e.g. check (i) whether the AML regime being applied in respect of the Fund is the Cayman AML regime or the regime of jurisdiction recognised as having an equivalent AML regime, and (ii) if it is the latter whether or not the relevant administrator is actually subject to the AML regime of that jurisdiction.”
Asked what managers of previously unregistered Cayman funds need to be mindful of, Smith remarks: “Unregulated investment entities should also check that the scope of delegation to their Administrator is sufficiently broad to cover the requirements of the AML Regulations. Investment entities which have not appointed a Fund Administrator (e.g. because the investment manager maintains the AML / CFT procedures on the Fund’s behalf) should check the same matters outlined above and additionally, whether or not the delegate has the requisite personnel (in terms of numbers, training and experience) to maintain the AML / CFT procedures on the Fund’s behalf.”
AML is taken very seriously by firms to uphold the Cayman Islands’ whiter than white reputation but these latest updates have refreshed everybody’s focus on the topic. A lot of what was already in the guidance notes has been moved into the new AML regime, which has introduced more of a risk-based approach, thereby bringing it into closer alignment with the FATF’s requirements.
Greater pressure on directors
All of the above developments, from DPL to the Monetary Authority (Amendment) Law and AML Regulations, place far greater pressure on fund directors as they seek to ensure that a fund’s investment activities are being adhered to, not just by the Fund Manager, but by their appointed service providers.
“Data protection is playing a bigger role with GDPR set to come into effect in Europe this May. It should be on the minds of any proactive boards of directors,” says Inggs.
Jennissen says that directors should be able to ask poignant questions in every board meeting in terms of what managers are doing from a data protection perspective.
We get reports from IT teams as well as service providers that cover how data is being protected, how this process is being managed and the level of resources this requires. Our goal is to ensure the manager is able to focus the majority of his attention on the investment strategy rather than some of these back-office tasks,” comments Jennissen
From a director’s perspective, transparency is vital. “We want to ensure the proper message is being communicated to investors and sometimes that requires challenging the notification approach being taken by the manager,” adds Hoilett.
The rise of digital asset strategies presents the latest challenge to fund directors as they seek to understand the operational mechanics of such funds. One of the unique aspects to these funds, from a security perspective, is the cryptographic keys; and more specifically, where those keys are being held.
“There is a serious question of risk when it comes to whom is tasked with holding the private keys to the fund’s digital currency,” asserts Inggs. “As an independent director I would want to know where and how are the keys being held? Where are they stored? Are they held on exchange, which may be risky, and if so what percentage of the fund’s digital assets are being kept on the exchange?”
Given the pace of regulatory and asset class developments, Cayman directors are being kept busier than ever. With a clearer, more comprehensive governance framework in place, and CIMA’s new enforcement powers, the jurisdiction is doing what it needs to do to maintain its global reputation.
