Feedback from CIMA’s inspections is provided to the relevant sector of the financial services industry formally and the findings are brought into the public domain through CIMA’s publication of supervisory circulars and reports on its website. For example, in June 2023 CIMA published a report setting out its findings of an IT/cybersecurity thematic review (“IT/Cybersecurity Report”) conducted against twelve entities in the banking, insurance and securities sectors. The IT/Cybersecurity Report highlighted weaknesses and made recommendations to be undertaken by regulated entities to ensure that their IT/cybersecurity framework is aligned with CIMA’s expectations. A link to that report is available here.
Legal basis
The extent of CIMA’s investigative powers varies, depending on the process being followed. In this briefing, we will focus on the powers afforded to CIMA under section 6(1)(b) of the Monetary Authority Act and other related laws to carry out desk-based and on-site inspections. During 2022 and 2023 we noticed an increase in inspections amongst our clients and we see that trend continuing for the remainder of 2023 and into 2024.
Steps in a CIMA inspection
Pre-inspection notification: CIMA will send the inspected firm or its appointed agent a letter containing the subject matter, purpose and scope of the inspection. A specified list of documentation will be requested prior to the inspection and must be made available to CIMA prior to the inspection start date. If an inspected firm has any questions regarding the requested information, they should seek clarification from CIMA or their usual Appleby contact.
The inspection: CIMA will examine the inspected firm’s policies, procedures, reports and files to identify any gaps or weaknesses in them. Other examples of documentation requests may include details of the firm’s organisational structure, customer files, insurance policies, copies of board minutes for the previous two to three years, details of internal/external audits etc.
Interview meeting: this will be the first official meeting between the inspected firm and the CIMA inspections team. Depending on the size and nature of the inspected firm’s business, this may take the form of a series of meetings. CIMA are likely to use the meeting to ask probing questions about the inspected areas and the inspected firm’s processes and procedures. The aim of the meeting covering the various areas (e.g. governance, IT/cybersecurity) will be to ensure that the processes the inspected firm has in place are actually applied in practice.
Closing meeting: the aim of the closing meeting is to discuss the inspection with the inspected firm and representatives from the relevant divisions in the inspected firm are invited to attend. During the closing meeting CIMA will summarise the scope of the inspection and materials reviewed, and give the inspected firm an opportunity to provide feedback. The closing meeting does not necessarily mean the end of a particular matter, as any identified material breaches may be referred to enforcement if not remediated by a required deadline.
Reporting phase: the inspection findings will be documented by CIMA in a draft report of the inspection. The report will include an executive summary, table of findings and the body of the report. The inspected firm can provide feedback on the draft report, before the final version is issued by CIMA.
Enforcement
CIMA’s administrative fines regime empowers CIMA to impose a fine on a regulated firm and/or an individual involved in managing a regulated firm, where it has reasonable grounds to suspect that a regulatory breach is being or has been committed.
The number of administrative fines imposed by CIMA for AML-CFT breaches and breaches of regulatory laws increased during 2021 and 2022. To date, CIMA has imposed, eleven fines on regulated entities and individuals under its administrative fines regime.
Although CIMA does not publicly publish a list of enforcement priorities, certain priority areas for CIMA appear to be outsourcing, IT/cybersecurity and corporate governance requirements based on recently published revised regulatory measures and published reports such as the IT/Cybersecurity Report arising from recent inspections. In our view, these will be critical areas for a regulated firm to focus on as any weaknesses or identified compliance gaps brought to CIMA’s attention during the course of an inspection may trigger an enforcement action.
Appleby’s Top 5 risk mitigation tips
The legal and regulatory landscape in which a regulated firm operates is constantly evolving and the obligations associated with complying with laws and regulations are increasing. Here are our top 5 tips to having a successful inspection:
Engage with CIMA: be transparent and fully cooperative with CIMA and establish a good working relationship from the start to address any concerns CIMA might have. Nominate a point of contact in the firm to communicate with CIMA or else appoint Appleby to do this on your behalf;
Well defined procedures/up to date records: ensure your firm has well defined procedures and all records are up to date. This ensures that you are prepared for a CIMA inspection when it happens. Don’t wait to get the CIMA notification of an inspection in order to get your house in order;
Don’t look for trouble: pay fees when due, file reports within the prescribed timeline and respond to CIMA queries within the required timeline;
Good corporate governance: be able to evidence to CIMA that the inspected firm has an adequate and effective corporate governance framework having regard to its size, complexity, structure, business and risk profile; and
Outsourcing: given the increased regulatory scrutiny by CIMA of outsourcing arrangements, ensure all outsourcing arrangements, related procedures and policies are well documented and there are written outsourcing agreements covering all outsourcing arrangements.
How appleby can help
Our regulatory team is comprised of experienced professionals who have successfully guided numerous clients through the CIMA inspection process. Our team can assist with:
- conducting an independent legal review of your compliance policies and procedures;
- updating such policies and procedures (as required) to ensure they satisfy CIMA’s expectations;
- ensuring that all relevant staff have received appropriate training (including AML-CFT training);
- preparing you for, and getting you through, a CIMA inspection;
- attending the CIMA interview and closing meetings; and
- liaising with CIMA on your behalf throughout the inspection.
Disclaimer: The information contained in this briefing is only intended for general information purposes only and is not intended to constitute legal advice. It is based on our experience of successfully assisting and guiding regulated entities through the CIMA inspection process. For specific advice on the inspection process, please contact any of the authors or your usual Appleby contact.
