Following industry consultation, on 30 August 2023 the Cayman Islands Monetary Authority ("CIMA") issued updated Guidance Notes on the Prevention and Detection of Money Laundering, Terrorist Financing and Proliferation Financing in the Cayman Islands (the "Updated Guidance Notes"). The Updated Guidance Notes replace the previous version issued by CIMA on 5 June 2020, as supplemented in February 2021 and May 2021.
The key change is that financial service providers ("FSPs") are now expressly permitted to undertake remote on-boarding and ongoing monitoring of business relationships, including by way of e-KYC and digital identification ("ID") systems, provided that the guidance in the Updated Guidance Notes is followed.
Updated guidance on remote on-boarding and ongoing monitoring of business relationships
The Updated Guidance Notes permit FSPs to undertake remote on-boarding (meaning the establishment of new business relationships via technology solutions and non-face-to-face means where the customer is not physically present at the place where the relationship is being established) and ongoing monitoring of business relationships, including by way of e-KYC methods and digital ID systems, provided that the guidance in the Updated Guidance Notes is followed. E-KYC refers to the processes whereby a customer's identity is verified by electronic means. A digital ID system is a system that covers the process of identity proofing/enrolment and authentication1.
Pursuant to the Updated Guidance Notes, FSPs should take a risk-based approach to remote on-boarding and ongoing monitoring of business relationships. Set out below is a summary of the updated guidance which FSPs should adhere to when undertaking remote on-boarding and ongoing monitoring of business relationships.
Customer risk assessment: Before an FSP uses e-KYC procedures and/or digital ID systems to on-board a customer it should be comfortable (based on its risk assessment of the customer) that such methods are appropriate and, where applicable, consider the application of tiered customer due diligence ("CDD")2.
Higher risk: Where an FSP has assessed a customer, product, service or jurisdiction as higher risk for money laundering and terrorist financing ("ML/TF"), it should conduct additional verification measures to ensure the accuracy of e-KYC procedures. Where a higher risk customer, product, service or jurisdiction is involved, an FSP should consider using face-to-face interactions and original certified documents for on-boarding and ongoing monitoring purposes rather than remote methods.
Technology solutions risk assessment: FSPs should consider the basic components of technology solutions (including e-KYC and digital ID systems) and take an informed risk-based approach to relying on such technology solutions for the purposes of remote on-boarding and ongoing monitoring of business relationships. This includes understanding a system's assurance levels (being the level of confidence and accuracy in the reliability and independence of the system and its components) and ensuring that such levels are appropriate to the assessed ML/TF risks of the specific case for which the system is being used. FSPs must ensure the level of assurance is adequate for the customer, product, jurisdiction and other relevant risk factors. FSPs may consider e-KYC procedures and digital ID systems with lower assurance levels to be sufficient for simplified due diligence in cases of low ML/TF risk.
FSPs should carry out a formal risk assessment of each new technology solution which includes documented considerations of how the proposed system works, the level of assurance that it provides and any particular risk associated with it.
Policies and procedures: FSPs should have robust documented policies and procedures in place to ensure a consistent and adequate approach to relying on technology solutions for CDD purposes, including: (i) a tiered CDD approach that leverages the new technology solutions with various assurance levels; (ii) policies for the secure electronic collection and retention of records by the new technology solutions; (iii) a process for enabling authorities to obtain from the new technology solutions the underlying identity information and evidence needed for identification and verification of individuals; (iv) anti-fraud and cybersecurity processes to support e-KYC/digital ID proofing and/or authentication for anti-money laundering and countering the financing of terrorism efforts from the new technology solutions; (v) back-up plans for possible instances where the new technology solution fails; (vi) a description of risk indicators that would prompt an FSP to refrain from utilising the new technology solutions; and (vii) procedures for the regular, ongoing and independent review (being a review carried out by internal audit or any other control function as defined in the Rule on Corporate Governance for Regulated Entities) of the effectiveness of the new systems and processes used.
Video-conferencing: FSPs should put in place appropriate controls during the video-conference process to verify the identity and authenticity of the ID documents presented. If an eligible introducer or suitable certifier has met the customer, they must confirm to the FSP that they have met the customer via video-conferencing, including a photograph of the customer or a scanned copy of the certified documents.
CDD for legal persons and arrangements:
- The use of video-conferencing to on-board customers who are corporate legal persons or legal arrangements may be used to identify customers' natural persons (such as beneficial owners and directors).
- Regulated entities may use publicly available sources when verifying customers that are corporate legal persons.
- FSPs who are unable to verify official constitutive or formation documents during video-conferencing or via other electronic methods due to unavailability of public sources must seek alternative measures to verify the documentation.
"Selfies": Selfie photographs may be used to verify documents, so long as the photographs are in colour and clearly show the person's face, holding the identity document in the same photograph to demonstrate it actually belongs to that person. A clear scanned copy in colour or a photograph of the identity document itself should also be provided.
Anti-fraud and cybersecurity measures: FSPs should adopt appropriate anti-fraud and cybersecurity measures to support e-KYC and digital ID systems, such as authentication systems for CDD.
Record keeping: FSPs must ensure that records of identification data obtained through e-KYC procedures and digital ID systems are easily accessible, maintained and can be made available to competent authorities on request.
The Updated Guidance Notes also note that customer identification and verification that rely on reliable independent e-KYC and/or digital ID systems with appropriate risk mitigation measures in place that meet ISO/IEC technical global standards for digital ID systems may present a standard level of risk, and may even be lower risk where higher assurance levels are implemented and/or appropriate ML/TF risk control measures are present.
The Updated Guidance Notes confirm CIMA's approach to the use of e-KYC and remote on-boarding technology, which is intended to reflect Financial Action Task Force Guidance. This is a welcome development for industry and provides increased flexibility and efficiency for FSPs and their customers.
1 Identity proofing and enrolment can be either digital or physical (documentary), or a combination, but binding, credentialing, authentication, and portability/federation must be digital.
2 Tiered CDD is unlikely to be relevant to the majority of our clients given their business models. Tiered CDD is where the account functionalities given to a customer are dependent on the level of CDD which has been successfully completed by the FSP on such customer.