Preparing for and Managing a CIMA Onsite Inspection

KEY STAGES OF A CIMA ONSITE INSPECTION PROCESS

Notice: a CIMA onsite inspection process opens with a written notification informing the subject FSP of the subject matter, purpose and scope of the relevant inspection. This is typically either accompanied or followed by a list of documentation requested for review by the CIMA inspection team (noting that CIMA will routinely request an FSP’s relevant policies and procedures, board records and internal/external audit reports in order to review such documentation for any gaps or deficiencies as against applicable regulatory requirements).

Pre-Inspection: once notified of an inspection and the documentation required by CIMA for review, an FSP will be given a timeframe within which it will need to identify, gather and collate such documentation for disclosure to CIMA. This will often reflect an opportunity for an FSP to take pre-emptive steps to mitigate any (if any) deficiencies identified in such documentation (e.g. by reviewing and (if required) updating any relevant policies and procedures, records and/or reports). An FSP may wish to engage legal counsel at this stage to advise on or assist with the preparation of any written responses, feedback or commentary that the FSP wishes to submit to CIMA – noting that the CIMA inspection team will generally not credit an FSP for any update(s) made to documentation after, the date on which an inspection notice is received but that updates can nonetheless mitigate remediation requirements where a CIMA inspection team does find deficiencies.

Opening Meeting: the inspection process proper will invariably begin with an opening meeting (or conference call) with the CIMA inspection team. This ‘kick off’ meeting marks the start of the substantive inspection process and often allows an FSP a chance to discuss and ensure that it has fully understood the schedule, scope and focus of the inspection.

Inspection: during an inspection CIMA may request interviews with personnel in compliance and/or other functions in order to enquire with them directly about an FSP’s relevant processes and procedures – a principle aim of such interviews often being to determine whether an FSP’s policies and procedures are actually being implemented in practice.

Closing Meeting: the final stage of the inspection process itself is a closing meeting (or conference call) with the CIMA inspection team in order to discuss the scope of the inspection (and the materials reviewed), flag any preliminary findings, issues or concerns, and allow the subject FSP to provide initial feedback in relation to the same.

Inspection Report: once the CIMA inspection team has completed its review, CIMA will issue a draft inspection report to the subject FSP which sets out CIMA’s findings and, if any, remediation requirements (along with any prescribed deadlines for remediation). A subject FSP will generally be given time, at this stage, to provide further commentary in response to any draft findings and/or remediation requirements. Depending on the nature and extent of CIMA’s draft findings and/or remediation requirements, an FSP may wish to engage legal counsel (if they have not already) at this stage for assistance before CIMA’s final inspection report is provided.

FINDINGS FROM RECENT CIMA ONSITE INSPECTIONS

Aggregated data and feedback gathered from CIMA’s thematic inspections is published in periodic reports on CIMA’s website setting out key themes, good practices and bad practices as observed by CIMA in onsite inspections. These reports can be useful indicators as to CIMA’s regulatory expectations in specific areas. For example, CIMA’s risk-based approach to the AML/CFT/CPF supervision of registered persons (such as investment managers and advisors) under the Securities Investment Business Act (SIBA) – which saw CIMA inspect 113 SIBA registered persons between 1 January 2022 and 31 March 2024 – has generated inspection findings and reports to the effect that whilst CIMA observed improvements across several key areas of AML/CFT/CPF compliance in this population of FSP during this period, there are certain areas of this regulatory framework in respect of which CIMA’s expectations have not been met – including:

• Customer Due Diligence (CDD) and ongoing monitoring: in respect of which CIMA has reported that for the period January 2022 to March 2024, 81% of the SIBA registered persons inspected exhibited weaknesses in their CDD and ongoing monitoring programmes (as compared to 75% across the SIBA registered persons inspected between October 2020 and December 2021); and
• Independent AML/CFT Audit Function: in respect of which, CIMA has noted that for the same period, 63% of the SIBA registered persons inspected exhibited weaknesses in establishing and implementing an effective independent risk-based audit function.[1]

As of 2023, CIMA has also been carrying out risk-based AML/CFT/CPF onsite inspections of virtual asset service providers (VASPs) in order to assess, among other things, their AML/CFT/CPF policies, procedures, systems, and controls, and compliance with the Travel Rule (i.e. the requirement that VASPs obtain and hold originator and beneficiary information in respect of virtual asset transfers).

CIMA has reported good compliance levels in many areas coming out of its first round of VASP inspections; but has also noted deficiencies, particularly around customer risk assessments, sanctions screening, due diligence, transaction monitoring and record keeping – and has signaled that it will continue to promote its supervisory mandate in respect of VASPs through onsite inspections.[2]

In light of CIMA’s recent reports, and whilst CIMA continues to remind all FSP of their regulatory obligations, we would encourage SIBA registered persons and VASPs in particular to carefully consider CIMA’s reported inspection findings (referenced below) and take steps to ensure that their AML/CFT/CPF policies, procedures, systems, and controls are kept up-to-date and maintained to a standard that is proportionate to the nature, size, and complexity of their business activities – noting that they may at some point be subject to inspection by CIMA.

Q&A: FREQUENTLY ASKED QUESTIONS ON CIMA INSPECTIONS

We have just been notified by CIMA that our FSP is going to be subject to an onsite inspection – What should we do?

We would recommend that steps be taken to confirm (if and to the extent required):

• what timeframe or schedule CIMA has set for the inspection; and
• what the scope of the inspection will be (e.g. will the inspection involve a ‘full scope’ or more limited thematic review).

An FSP that has been put on notice of an onsite inspection might also wish to confirm:

• the proposed format of the inspection, including whether it will be a physical inspection (conducted by way of a site visit) or a ‘desk-based review’ (e.g. a remote review of an FSP’s policies and procedures);
• any deadlines in respect of any information and/or documentation requests; and

•  whether or not CIMA intends to request interviews with any personnel.

We would generally encourage FSP to try to be as cooperative as is practicable during an onsite inspection process as an FSP’s level of cooperation may ultimately be taken into consideration by CIMA if it is required to determine whether or not a given matter should be referred for enforcement action.

CIMA has broad statutory powers to require FSP to provide certain types of information and it is important to remember that a person who fails to comply with a lawfully made request from CIMA in this respect (without reasonable cause) or otherwise obstructs a CIMA inspection process may commit an offence that attracts financial penalties (including, potentially, administrative fines).

Is an FSP permitted to brief or instruct its staff ahead of or during an onsite inspection?

Yes – And we would recommend that personnel in an FSP’s management, compliance and control functions are briefed on an inspection process as soon as its scope, schedule and focus has been confirmed (and ideally ahead of any disclosures to, and/or interviews with, the CIMA inspection team).

Subject to the CIMA inspection team’s instructions, we would also recommend that an FSP establishes (and shares with its relevant staff) a clear document and disclosure management protocol so as to ensure that:

• any information requested by the CIMA inspection team is reviewed and, if appropriate, disclosed by a designated point of contact (or team) at the FSP by way of secure electronic file transfer (or other secure means of disclosure);
• any confidential and/or legally privileged information is identified and handled in an appropriate fashion;
•  no relevant information is damaged or destroyed; and
•  all information disclosed to, and communication with, the CIMA inspection team is accurately tracked and recorded.

What if the CIMA inspection team finds that an FSP has failed to meet a regulatory requirement?

Where a CIMA inspection team finds that an FSP has failed to meet a regulatory requirement, CIMA may, among other things:

•  require the relevant FSP to remediate such failure;
• depending on the severity of the relevant matter, impose conditions on, suspend or revoke, an FSP’s license, registration or other authorisation to carry out its business in the Cayman Islands; and/or
• seek to impose financial penalties (including, where appropriate, administrative fines).

CIMA may also publish details of disciplinary action(s) taken against an FSP such that the commercial and reputational risks that can attach to regulatory breaches in this context can be considerable. It is essential therefore that FSP are properly prepared to engage with and manage a CIMA onsite inspection.

HOW WE CAN HELP

An FSP should not wait to receive an inspection notice from CIMA before it begins to prepare for an onsite inspection.

Risk assessments, regulatory compliance reviews and audits can be carried out ahead of time to stress-test an FSP’s relevant policies, procedures, systems and controls – and Appleby’s Regulatory Team has extensive experience in successfully guiding FSP through the CIMA onsite inspection process by way of:

• support before the opening meeting with the CIMA inspection team (e.g. by conducting an independent legal review of an FSP’s compliance policies and procedures; and updating documentation (if required) to address any deficiencies before they are identified by CIMA);
•  assistance with meeting preparation, attendance at and/or keeping records of meetings with the CIMA inspection team during an inspection process;
•  review of and/or assistance with the preparation of: (i) written responses to queries from the CIMA inspection team; and/or (ii) written commentary on draft inspection reports; and
• provision of training prior to and/or following an onsite inspection process – and advice on or assistance with any required remediation measures.

For further information on or assistance with any of the matters referred to in this briefing please reach out to one of the Key Contacts listed below or to your usual Appleby point of contact.

[1] Key Findings from Onsite Inspections of Registered Persons, CIMA Supervisory Information Circular, 8 May 2025.
[2] AML/CFT On-site and Off-site Supervision of the Virtual Asset Service Providers, CIMA Supervisory Information Circular, 18 September 2025.