Sep 2024
As an evolving area of commercial disputes in the Cayman Islands, global enforcement trends provide us with valuable insight into the types of regulatory proceedings on the horizon for offshore jurisdictions. In this second edition of our Regulatory Disputes Series, our regulatory enforcement experts share a further three hot topics to watch for the future of offshore financial services regulatory disputes, and highlight how each of these developing regulatory challenges are in fact all intertwined.
The Conyers team of Regulatory Disputes specialists have market-leading experience supporting their clients through high value, high profile and challenging regulatory disputes, including those involving multiple regulators and jurisdictions. We are uniquely placed to advise and appear in the most complex matters and work hand in hand with our Regulatory & Risk Advisory practice to deliver a full service offering across the entirety of the regulatory life cycle.
Governance and senior management accountability
The Cayman Islands Monetary Authority (CIMA) recently introduced a new Corporate Governance for Regulated Entities Rule (the “Corporate Governance Rule”) and a new Rule and Statement of Guidance on Internal Controls for Regulated Entities (the “Internal Controls Rule and SoG”) that applies to the governing body of all CIMA regulated entities, such as banks, trust companies, insurance companies, security investment businesses, and private funds. ‘Governing body’ is defined as the Board of Directors where the entity is a corporation, the General Partner where the entity is a partnership, the manager (or equivalent) where the entity is a Limited Liability Company, and the Board of Trustees where the entity is a trust business. The Corporate Governance Rule requires regulated entities to “establish, implement, and maintain a corporate governance framework which provides for sound and prudent management oversight of the regulated entity’s business and protects the legitimate interests of relevant stakeholders.”
This development follows the trend of regulators across the globe focussing on senior management accountability as a key to enhancing organisational culture and governance in the financial services sector. Recognising the critical role played by senior management in promoting good governance, many jurisdictions have introduced regimes to impose clear accountability requirements on senior managers in the industry. For example:
- The UK Financial Conduct Authority Senior Managers and Certification Regime was first established in 2016 to apply to banks, building societies, credit unions and designated investment firms and has gradually expanded over time to apply to a wide range of other financial services providers, such as insurers. The Regime “aims to reduce harm to consumers and strengthen market integrity by creating a system that enables firms and regulators to hold people to account”. Key features include the requirements for senior managers to obtain regulatory pre-approval and comply with additional conduct rules, and for every senior management function to have a statement of responsibilities that clearly states what they are responsible and accountable for.
- Similarly, the Monetary Authority of Singapore Guidelines on Individual Accountability and Conduct provide guidance on “the five high level outcomes that financial institutions should achieve to promote the accountability of senior managers, strengthen oversight over material risk personnel, and reinforce conduct standards among all employees”.
- The recently introduced Australian Financial Accountability Regime (which replaced the former Banking Executive Accountability Regime) is designed to “improve the risk and governance cultures of Australia’s financial institutions”. It imposes a strengthened responsibility and accountability framework for entities in the banking, insurance and superannuation industries, and their directors and senior executives.
Now that the Corporate Governance Rule and the Internal Controls Rule and SoG has been in operation for just under a year, and with growing global sentiment that senior management accountability is crucial to promoting good governance, we anticipate that monitoring and enforcing compliance with these regimes will be a key focus for offshore regulators including CIMA. You can read our deeper dive on the Corporate Governance Rule and the Internal Controls Rule and SoG here.
Cybersecurity
On the theme of innovation and digital technology that featured prominently in Part 1 of this Article, another enduring global regulatory (and consumer) focus is cybersecurity. Similarly to the digital assets market, the rapid pace of technological development is challenging regulators to remain one step ahead of cybercriminals. Many jurisdictions lack a single regulatory framework for managing cyber risk and enforcement responsibility is often shared across agencies, requiring a sophisticated and coordinated effort between various regulatory bodies. Further, with the proliferation of technologies such as artificial intelligence (our third hot topic, below) data is becoming an ever more valuable asset to the financial services industry.
In the Cayman Islands, CIMA has implemented a cybersecurity-specific regulatory regime through its Cybersecurity for Regulated Entities Rule and Statement of Guidance which came into effect last year (the “Cybersecurity Rule and SoG”). The Cybersecurity Rule and SoG is applicable to all CIMA regulated entities, with the exception of regulated mutual and private funds. In June 2023, CIMA also issued its Thematic Cybersecurity Review Report, based on its review of twelve regulated entities spanning the banking, insurance and securities sectors. CIMA stated in its concluding remarks that it “further encourages governing bodies to enhance their oversight on cybersecurity frameworks and to ensure that such frameworks are adequately implemented by senior management across all business lines and geographies, where applicable.” The pervasive theme of senior management accountability emerges yet again in these remarks.
The US Department of Justice (DOJ) has been notably active in cybersecurity enforcement this year. For example:
- In May 2024, the DOJ announced that it had reached a US$2.7 million settlement with staffing company Insight Global LLC to resolve allegations that it violated the False Claims Act by failing to implement adequate cybersecurity measures to protect health information obtained during COVID-19 contact tracing.
- Last month, the DOJ announced that it had intervened in an existing proceeding brought by a whistleblower against the Georgia Institute of Technology, introducing allegations that it knowingly failed to meet cybersecurity requirements in connection with its contracts with the Department of Defense. These allegations include that the defendant submitted a false cybersecurity assessment score to the Department of Defence, and that it approved one of its lab’s refusal to install antivirus software to satisfy the demands of the professor who headed the lab.
Artificial intelligence
In Part 1 of this Article, we explored recent enforcement activity in response to the emerging issue of “AI washing” in the context of sustainable finance. But noting the rapid proliferation of the use of artificial intelligence throughout the financial services sector, AI deserves a place as a hot topic in and of itself.
Financial services companies are reportedly embedding AI into a wide range of their business functions, including fraud and crime detection, chatbots, algorithmic trading, customer relationship management, compliance and portfolio management. This technology gives rise to novel regulatory enforcement challenges as regulators globally are endeavouring to stay ahead of the curve. The UK Department for Science, Innovation and Technology (DSIT), in its white paper ‘AI regulation: a pro innovation approach’, has proposed the following five cross-sectoral principles for existing regulators to interpret and apply within their remit in order to drive safe and responsible AI innovation:
- Safety, security and robustness;
- Appropriate transparency and explainability;
- Fairness;
- Accountability and governance; and
- Contestability and redress.
Turning back to governance and senior management accountability, or perhaps simply ‘human accountability’ in the context of AI, regulators are grappling with how to ensure that the proliferation of AI does not counter recent efforts to enhance organisational culture and governance through individual accountability frameworks. We anticipate that the governance and senior management accountability frameworks discussed above might be harnessed by regulators to ensure that financial services providers are appropriately evaluating AI-related risk, and allocating and documenting responsibility for the same.
The proliferation of AI also interacts with cybersecurity enforcement, as experts warn that AI (particularly generative AI) will enhance the capabilities of cybercriminals and increase the effectiveness of attacks. For example, in its discussion paper written to inform discussions at the AI Safety Summit 2023, DSIT opined as follows:
“Generative AI integration into critical functions and infrastructure presents a new attack surface through corrupting training data (‘data poisoning’), hijacking model output (‘prompt injection’), extracting sensitive training data (‘model inversion’), misclassifying information (‘perturbation’) and targeting computing power.”
Earlier this year, the UK National Cyber Security Centre published its report on the near-term impact of AI on the cyber threat, concluding that AI “will almost certainly increase the volume and heighten the impact of cyber attacks over the next two years” and that this threat arises from “evolution and enhancement of existing tactics, techniques and procedures”.
We will be watching developments in this space with interest, as financial services regulators across the globe explore different models of enforcement, inevitably requiring international coordination and cooperation.
Stay tuned for the next edition of our Regulatory Disputes Series, which will offer practical tips on managing one aspect of a contentious regulatory matter.