4.1 Enforcement Manual – Regulatory Handbook Volume 2
In March 2026, CIMA published an updated version of the Enforcement Manual as Volume 2 of its Regulatory Handbook (the “Manual”), replacing and repealing both the June 2025 Enforcement Manual and the Regulatory Procedure – Publication of Enforcement Actions Taken by the Authority (July 2005). The Manual applies to all parties subject to CIMA’s powers to impose enforcement action and administrative fines. It establishes the framework governing CIMA’s enforcement regime with respect to non-compliance with Regulatory Acts by Authorised Persons, consolidating certain procedures including but not limited to enforcement actions and fines. It is organised in four parts:
Part I sets out the policies and procedures for enforcement actions, including the criteria CIMA will apply when determining whether enforcement action is warranted and the range of actions available to it — from supervisory letters and the suspension or revocation of licences and registrations, through to the appointment of controllers and advisors, fitness and propriety assessments and, ultimately, referrals to prosecutorial authorities. Part I also details the warning notice and decision notice procedure, which affords affected parties the opportunity to make representations to CIMA before enforcement decisions are finalised.
Part II addresses the administrative fines regime, setting out the framework for investigating breaches, classifying them as minor, serious or very serious, and calculating the applicable fine through a prescribed five-step process that accounts for matters including disgorgement, aggravating and mitigating factors, and adjustment for guiding principles. It also introduces an early settlement and discount mechanism under which parties may negotiate reduced fines of up to 40% at CIMA’s discretion.
Part III establishes the criteria and procedures for discretionary publication of enforcement actions and administrative fines, balancing public interest and market confidence considerations against confidentiality, while Part IV addresses the procedures CIMA will follow when there are issues of non-compliances and it has lost contact with an authorised person.
Authorised persons should familiarise themselves with the Manual, which does not impose new regulatory obligations but serves as an important guide to how CIMA intends to exercise its enforcement and administrative fines powers in practice. In particular, regulated entities should ensure that their compliance and governance frameworks account for the enforcement criteria, the structured fines methodology and the procedural safeguards outlined in each part of the Manual.
4.2 AML/CFT Activity Report 2024
In February 2026, CIMA published its AML/CFT Activity Report for 2024, providing a detailed overview of the Authority’s supervisory activities, inspection outcomes, enforcement actions, and outreach activities across the financial services sector. During 2024, CIMA conducted 83 AML/CFT onsite inspections of regulated entities, of which 72 had been completed at the date of the report. Of those concluded with deficiencies, 367 requirements were issued, 324 of which were classified as Matters Requiring Immediate Attention. Nineteen inspections resulted in letters with no findings. CIMA continued to apply a risk-based approach to determining the frequency and focus of onsite and off-site AML/CFT supervision, utilising its Strix platform for entity-level risk assessments alongside data from onsite inspections, competent authority disclosures, screening results, and quarterly returns (to name a few).
The report highlights persistent areas of concern identified through the 2024 inspection programme. Risk-based approach deficiencies accounted for 31% of all deficiencies identified through onsite inspections, with common issues including undocumented or incomplete customer risk ratings, gaps in policies and procedures for identifying and assessing money laundering and terrorism financing risks, and failures to conduct periodic customer file reviews within required timeframes. Sanctions programme deficiencies accounted for 13% of deficiencies identified, though CIMA noted an improvement from the prior year, with 49% of inspected entities identified as having TFS-related deficiencies compared to 65% in 2023. Further recurring themes included deficiencies in customer due diligence (12%), internal controls (13%), ongoing monitoring (8%), policies and procedures (9%), and record-keeping (8%). CIMA also continued to supervise the virtual asset sector, issuing 24 directions to entities potentially operating without VASP registration, and commenced a targeted desk-based review of VASP compliance with the AMLRs.
Looking ahead, CIMA confirmed it will continue to promote and safeguard the integrity of the financial services industry by further expanding its data-led supervisory capabilities, tracking deficiencies and remediation to assess compliance with supervisory findings, and ensuring prompt escalation to enforcement where necessary. The Authority will focus on identifying trends, systemic issues, and areas of risk, together with close collaboration with other regulatory and law enforcement authorities, to support timely and appropriate supervisory action.The jurisdiction is now preparing for the FATF 5th Round Mutual Evaluation, with the onsite phase expected to commence in late 2027.
4.3 Thematic Review on Outsourcing
In January 2026, CIMA published its Thematic Review on Outsourcing, presenting the findings of a cross-sector review conducted in 2025 on sixteen regulated entities spanning the insurance, fiduciary, investment, securities and banking industries. The review assessed the effectiveness of governance structures, risk assessment practices and oversight controls relating to outsourcing arrangements, benchmarked against the Statement of Guidance – Outsourcing Regulated Entities (April 2023) (the “SOG – Outsourcing”) and applicable regulatory legislation.
The review identified good practices and weaknesses across eleven thematic areas, with the most significant weaknesses concentrated in four categories: outsourcing agreements (34%), accountability (33%), risk management (10%) and assessment of service providers (8%), together accounting for 85% of the findings. Common shortcomings of outsourcing arrangements included missing contractual provisions (such as performance monitoring metrics, conflict of interest clauses and supervisory access rights), with insufficient board-level review of policies and procedures, inadequate risk assessments and due diligence scope and methodology. CIMA also noted areas of good practice among a number of the entities reviewed, including documented risk management frameworks, board engagement, feasible contingency planning and comprehensive confidentiality protections in service level agreements.
Regulated entities are encouraged to use the findings as a prompt to review and ensure that their outsourcing framework is commensurate with the size, complexity, structure, nature of business and risk profile of their operations. In particular, entities should confirm that outsourcing agreements contain all minimum provisions required under the SOG – Outsourcing, that risk and materiality assessments are conducted prior to entering into arrangements and regularly thereafter, and that appropriate notification procedures are in place with respect to CIMA. The full Thematic Review Report is accessible via CIMA’s website.
