1. Regulatory Consultation on New AML/CFT/CPF and Sanctions Rules
At the beginning of February 2026, CIMA launched a 30 day private sector consultation on new proposed rules in respect of: (1) effective compliance programmes for the Prevention and Detection of Money Laundering, Terrorist Financing and Proliferation Financing for Financial Services Providers (“Proposed AML/CFT/CPF Rule”); and (2) compliance with financial sanctions and targeted financial sanctions (“Proposed Sanctions Rule”).
As highlighted in our previous edition of Conyers Coverage, the Cayman Islands jurisdiction is preparing for the FATF’s 5th round mutual evaluation, being the first to take place since the Cayman Islands was removed from the FATF’s increased monitoring “grey list”, including an onsite review which will commence in 2027. Given this represents a critical opportunity for the Cayman Islands to demonstrate the effectiveness of its AML/CTF framework and its commitment to global best practices, we have seen increased activity from regulators including the Cayman Islands Monetary Authority (CIMA) to uplift and refine existing regulatory frameworks ahead of the upcoming evaluation.
This consultation is one such effort with CIMA citing the need for enforceability backed by regulatory enforcement/sanctions as an area requiring uplift based on its review of recommendations from the FATF and the previous mutual evaluation conducted by the Caribbean FATF. The Proposed AML/CFT/CPF Rule and Proposed Sanctions Rule are designed to lift and elevate certain areas of existing guidance set out in CIMA’s Guidance Notes on the Prevention and Detection of Money Laundering, Terrorist Financing and Proliferation Financing in the Cayman Islands (the “AML Guidance Notes”), and thereby reinforce and strengthen the operation of the current regulatory framework.
The Proposed AML/CFT/CPF Rule primarily focuses on governance and oversight of AML/CFT/CPF compliance, proportionate client and business risk assessments, detailed CDD procedures, outsourcing, ongoing monitoring and record-keeping, compliance training programmes and internal and external audit. The Proposed Sanctions Rule is focused on ensuring that sanctions compliance is integrated into the AML/CFT/CPF compliance programme, as well as initial and ongoing screening and monitoring, asset freezing mechanisms and sanctions reporting obligations.
Insurers that are not conducting “relevant financial business”, are not in full scope of compliance of all AML related rules, regulations and legislation but are currently expected to operate appropriate AML/CFT/CPF and sanctions policies and procedures by CIMA as confirmed by the AML Guidance Notes and typical licensing conditions. If the Proposed AML/CFT/CPF Rule takes effect as drafted, this expectation will be elevated to the status of a rule, requiring insurers to operate AML/CFT/CPF compliance programmes in accordance with the minimum requirements set out in the rule.
The Cayman Islands financial services industry has been in the process of collectively reviewing, providing feedback and responding to the consultation which closed on 20 March 2026.
2. The Beneficial Ownership Transparency Act – Restricting Access to Beneficial Ownership Information
It is over a year since the Cayman Islands revised its beneficial ownership regime, requiring companies to operate and report a beneficial ownership register unless able to rely on an alternative route to compliance (such as being licensed under a regulatory law). Whilst the beneficial ownership registers are not made public, the regime allows for certain narrow applications for disclosure of beneficial ownership information to be made where an applicant can evidence a legitimate interest in obtaining disclosure of such information. In turn, the Beneficial Ownership Transparency (Access Restriction) Regulations also provide a corresponding option for beneficial owners to apply to restrict access to beneficial ownership information based on demonstrating a serious risk of danger or serious harm (such as kidnapping, extortion, violence).
Whilst an insurer opco is not typically required to establish a beneficial ownership register because it is able to avail itself of the alternative route to compliance of being licensed under a regulatory law, an opco can be required to temporarily establish a beneficial ownership register if there is a gap in time between incorporation and the grant of the licence. It is also worth noting that entities based in the Cayman Islands that sit above the insurer opco are often required to maintain beneficial ownership registers, particularly as we are seeing more complex corporate structures for insurers continuing to be established in the Cayman Islands.
In the last year, Conyers has made a number of successful applications to restrict access to beneficial ownership information and would be happy to assist any parties interested in exploring this potential option for beneficial owners.
Our previous article on the Beneficial Ownership Transparency (Access Restriction) Regulations provides more detail on the application process and is accessible here.
3. CIMA Reports On Findings from Onsite Inspections
Our update above takes an in-depth look at the CIMA onsite inspections process, with updates and guidance on how to prepare for and manage a CIMA inspection (accessible here).
As we explain in our inspections update, a helpful step for being prepared is to keep up to date on CIMA’s published feedback from its previous onsite inspections. CIMA has recently published reports with findings from its onsite inspections carried out in relation to AML/CFT compliance and outsourcing. We summarise CIMA’s key findings below.
AML/CFT Report
The report covers CIMA’s activities and findings during 2024 from oversight of 33,000 regulated entities across all financial services sectors and 83 AML/CFT onsite inspections.
We set out below CIMA’s key findings on areas of non-compliance, including the percentage of deficiencies identified related to these key areas:
- Risk-Based Approach (31%): the most prevalent deficiency area, including inadequate customer risk rating tools, undocumented risk assessments, and failure to conduct periodic reviews within stipulated timeframes.
- Sanctions Programmes (13%): inadequate screening of customers and counterparties, missing documentation of timely screening as sanctions lists were updated, and poor management of sanctions alert data.
- Internal Controls (13%): inadequate documentation of outsourcing arrangements, failure to maintain independent audit functions, and lack of information-sharing procedures within financial groups.
- Customer Due Diligence (12%): incomplete or inadequate KYC measures, missing certification of documents, and incomplete PEP due diligence records.
- Policies and Procedures (9%): ongoing monitoring (8%), and record keeping (8%) comprised the remaining deficiency categories.
Outsourcing Report
The report covers CIMA’s thematic review of outsourcing practices across sixteen regulated entities spanning the insurance, fiduciary, investment, securities and banking sectors. The review assessed compliance with the Statement of Guidance on Outsourcing Regulated Entities (SOG) and evaluated the effectiveness of governance structures, risk assessment practices, and oversight controls relating to outsourcing arrangements.
We set out below CIMA’s key findings on areas of non-compliance, including the percentage of deficiencies identified related to these key areas:
- Outsourcing Agreements (34%): the most significant area of weakness, with most deficiencies relating to missing provisions in outsourcing agreements. Common omissions included performance monitoring and metrics, conflict of interest clauses, provisions for supervisory access by CIMA, regular review and reporting requirements, sub-contracting arrangements, material impact disclosures, and insurance coverage obligations.
- Accountability (33%): principal weaknesses included insufficient Board review and approval of outsourcing policies and procedures, absence of mechanisms for frequency of assessments and performance thresholds, lack of independent reviews or audits, and inadequate maintenance of outsourcing logs.
- Risk Management (10%): deficiencies included incomplete risk assessments that failed to consider all minimum risks required by the SOG, inadequate outsourcing policies regarding risk management, and failure to evidence risk assessments prior to initiation of arrangements or on a regular basis thereafter.
- Assessing Service Providers (8%): weaknesses included inadequate assessment scope during due diligence, failure to conduct initial or regular assessments, and insufficient verification of service providers’ insurance coverage.
CIMA also acknowledged areas of good practice including regular Board review and approval of outsourcing policies, performance of risk, materiality and due diligence assessments of service providers, maintenance of outsourcing logs, independent audits of outsourcing frameworks, clear communication procedures with service providers, and comprehensive confidentiality clauses in services agreements. CIMA highlighted that outsourcing does not diminish regulatory responsibility, and governing bodies and senior management remain ultimately accountable for all outsourced material functions.
For the latest Cayman Islands regulatory updates from our team, please refer to the most recent Regulatory & Risk Advisory Outlook, available here.