Cayman beneficial ownership model comes with cybersecurity edge

Cayman Islands law governing beneficial ownership data took effect July 1, ushering in a technology-based system to manage the exchange of information about the true owners of Cayman-registered entities.

In an age of daily cyberattacks, the system brings with it questions about safeguarding sensitive business data. Financial information can prove particularly enticing for hackers, making the integrity of the system all the more important.

Cayman Finance CEO Jude Scott discussed the cybersecurity considerations when establishing the database and the elements that set Cayman’s system apart from other international models.

The Journal: What were the priority considerations when determining the format of the new beneficial ownership platform?

Jude Scott: It was important to develop a platform which would fully meet the needs of law enforcement and regulatory bodies both here in the Cayman Islands and in the United Kingdom while at the same time maintaining the basic right to privacy and ensuring the security of what is extremely sensitive data. The data has to be collected, and held, in a consistent and easily searchable format so as to ensure rapid and coherent responses are able to be provided to those tasked with investigating, among other things, organized crime and terrorist financing – that is clearly to the benefit of all. On the other hand, cybersecurity and identity fraud/theft are live issues in today’s world, as demonstrated by a recent worldwide spate of data hacks and, in that context it was critical to ensure that the platform was highly secure both physically and digitally. Every decision, from the extent of the data collected, to the methodology for doing so, to the system for making that data available for searches had to be made on the basis of maintaining that balance.

TJ: Why not establish a central, publicly searchable database?

JS: It is important to note that a central, publicly searchable database does not represent the current “standard” around the world and, in fact, the Cayman Islands platform already represents a level of transparency well ahead of many leading onshore financial centers. The EU’s Fourth Anti-Money Laundering Directive stops short of requiring that information be made available publicly, yet even so, the EU Justice Commissioner, in July 2017, formally reprimanded 17 EU Member States for failure to establish appropriate systems for collecting beneficial ownership information. In that context, the Cayman Islands is at the forefront of compliance in stark contrast to incorrect perceptions of the jurisdiction based on lazy prejudice.

While the U.K. operates a central, publicly searchable database, the data which is submitted is not required to be independently verified. Accordingly, it is hard to know the true value of such an approach for law enforcement (who are the key users of this information). In contrast, the Cayman Islands already operates well-respected and internationally approved verified anti-money laundering and know your customer processes carried out by licensed corporate services providers whose compliance is the subject of regular scrutiny by well-respected regulators. Verification of information is essential in attempting to detect unintentional or intentional inaccuracies in such information by parties seeking to do business in a jurisdiction.

Further, there are real and fundamental issues surrounding the right to privacy and data protection which present significant challenges in the context of a central, publicly searchable database. The Universal Declaration of Human Rights was proclaimed by the General Assembly of the United Nations on Dec. 10, 1948, and states, in Article 12, that “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence.” A publicly searchable database of ultimate beneficial ownership presents a very real threat to this right as the overwhelming majority of persons owning and/or operating businesses globally do so legitimately and not for nefarious purposes. There is no policy reason which can truly justify exposing the information of all such people, especially when one considers that the recorded information includes residential addresses, dates of birth and passport numbers. One can see, immediately, that there would be very real concerns if such information were to be globally available. By contrast, the platform (which remains under development) will ensure that this critical information is available quickly and efficiently to those authorities who require access to such information in circumstances where there is an active investigation which can benefit from the information. By reference to the Universal Declaration of Human Rights, this ensures that there is no “arbitrary interference” – instead, any interference can occur only where legally justified.

TJ: Describe the “air gap” system that was developed for storing beneficial ownership data. What security benefits does this provide?

JS: There is inherent risk in the transmission of any data over the internet and storage of data in systems connected to the internet and those risks have been cruelly exposed on a number of occasions in recent times, often with devastating results. The “air gap” design, often used in stock exchanges, military systems and other critical systems such as nuclear power plants and avionics, ensures that none of the highly sensitive private data, applications or operating systems required to operate the register (and very useful to law enforcement in the proper circumstances) are exposed in a way which makes it readily available to digital attacks. The objective of an “air gap” design is to reduce the method, vectors, and opportunities of attack.

To ensure that service provider data is protected “end-to-end,” each licensed service provider collects and holds their data securely on their own systems and then, on a regular basis, encrypts the data using a purpose-built hardened operating system at their location, then physically transports the encrypted data to the Beneficial Ownership Digital Search (BODS) System located in the Government Administration Building. By design, the BODS System itself is not linked to the internet or any internal network and can only be searched using a directly connected terminal where physical access is strictly controlled. Breaches of cybersecurity represent the greatest threat to the privacy of the collected data and this approach, while less convenient for service providers, the trade-off is that it tackles that most dangerous of threats in a highly effective way.

TJ: Are there any risks in the “air gap” system that could compromise the stored data?

JS: The Cayman Islands Government and the compliance team at General Registry are examining every aspect of the procedure in order to minimize risks. The procedure specifies that data is encrypted at the service provider’s location and can only be decrypted once inside the BODS system itself.  The BODS system, decryption keys, data and application code, all reside inside a physically hardened hardware platform which is not connected to the internet or any internal networks. Data transfer is expected to be permissible only into the BODS system without any mechanism to digitally transfer data out of the environment.

The legislation imposes significant criminal penalties upon any person carrying out a search of the BODS System without appropriate authority or in any way sharing the stored data otherwise than in accordance with the legislation. It is probably true to say that no system can be perfect, but the best and the brightest IT minds in the Cayman Islands have come together from both the public and private sector to try and build the best possible solution.

TJ: What is expected of businesses under this system, in terms of updating and handling data for the database?

JS: There are two distinct categories to consider here: companies/LLCs registered in the Cayman Islands and, separately, the corporate services providers who provide registered office services in the Cayman Islands.

Entities in the first category who are subject to the requirements of the beneficial ownership regime must seek to ensure that they, at all times, understand their ownership and control structure and are able to identify “registrable persons” – which means those individuals or intermediate holding companies who are required to be entered on their beneficial ownership register. This is an ongoing obligation and companies must take reasonable steps to identify the relevant persons. The legislation provides a number of investigatory tools for companies seeking to comply, including formal notices to request information which may be issued to certain persons in order to assist the investigation. Once registrable persons are identified, the legislation then sets out a number of “required particulars” which must be collected, including residential addresses, dates of birth and the details of identifying documents.

For corporate services providers, they are obliged to provide an information-technology solution which facilitates the storage of beneficial ownership data and its transmission (via the air-gap method) to the BODS System. In practical terms, this amounts to ensuring they are able to store data provided to them by companies, create beneficial ownership registers which comply with the detailed requirements set out both in primary legislation and the associated regulations and put in place processes and systems which enable the data to be encrypted and transported to the BODS System.

TJ: How accessible is this type of system to law enforcement or other relevant authorities?

JS: The data is available within 24 hours (or one hour in urgent cases), 365 days of the year, but only in response to a lawful search request which passes various checks and balances set out in the legislation. Where there is a request from authorities in another country, the law requires an agreement with that country to govern requests and exchange of information. The law is specifically intended to ensure that it is not lawful to make “fishing” searches and it has long been understood that the BODS system’s search function (which remains in development) will ensure that the search results only show data pertinent to a targeted search. Both vertical and horizontal searches can be made, but searches must be by reference to a specific individual or entity. As with all aspects of the platform, the aim is to ensure the correct information gets to the right people quickly, efficiently and in a coherent format, while at the same time ensuring that non-relevant data is completely protected and not even visible to the searcher. This presents some very real challenges, but is critical to ensuring the correct balance between transparency and privacy.

TJ: How does Cayman’s system compare to other beneficial ownership models?

JS: The Cayman Islands operates in a unique market as a global financial hub primarily catering to sophisticated and institutional investors and, accordingly, the Cayman Islands regime has been carefully crafted to achieve the combined aims of greater transparency for law enforcement and preservation of privacy where appropriate.

The Cayman Islands is a leader in transparency standards, having had a world-class, verified anti-money laundering and know your customer regime (which already focused on identifying and verifying beneficial ownership) for more than 15 years.

What distinguishes the Cayman Islands beneficial ownership/AML/KYC regime from most others around the world is that information is collected and verified by licensed Cayman Islands corporate service providers under existing anti-money laundering and know-your-customer laws. Many of the other beneficial ownership registries – including central public registers – rely solely on self-reported information, which can be less complete and accurate. The new laws passed on July 1, 2017 introduce technology-based system enhancements to improve the speed and  efficiency of format in which beneficial ownership information is available to appropriate authorities.

While a number of other jurisdictions have recently taken steps to implement some form of beneficial ownership data collection systems, most of these remain at a fairly early stage of development and the approaches have been extremely varied. In Singapore, access, like in the Cayman Islands, is limited to law enforcement, while Armenia, Brazil, Costa Rica and Mexico have limited access to monitoring government authorities. In India, access is limited to the members of any given company. There is a very wide range to the chronological limits for reporting changes, ranging from two days (Singapore) to five years (Italy). In addition to the Cayman Islands, the U.S. Library of Congress has identified that only Argentina, France, Mexico, Namibia, South Africa and Spain have any form of data verification. We are not aware of any other beneficial ownership models that feature all of the three key components of Cayman’s verified beneficial ownership regime:

  1. The verification of information by licensed corporate services providers
  2. The air-gapped technology platform (as opposed to internet-accessible or interconnected systems)
  3. The availability of accurate and timely information for proper law enforcement and regulation balanced with the right to privacy, data protection and human rights

TJ: Do you foresee Cayman’s model providing a competitive advantage, compared to other offshore financial centers?

JS: The Cayman Islands government has taken great care to develop a model which is proportionate, fair and successful in delivering the important information to the right people and at the right time whilst protecting the personal identifying data of those who operate legitimately and above the law. It is probably too early to judge many (or indeed most) of the nascent beneficial ownership regimes now operating globally and it is only to be expected that the various regimes (including the Cayman Islands) will be modified, tweaked and improved as stakeholders and law enforcement become more familiar both with the issue and the information which is available.

Cayman’s air-gapped technology platform provides critical data security benefits and represents the best possible solution to protect such important and sensitive information. This will be appreciated by our clients, business partners and industry stakeholders around the world, and we anticipate this will become another strategic, competitive advantage for our jurisdiction. For “good actors,” there is nothing to be scared of in the Cayman Islands regime and that should serve to ensure that the Cayman Islands remain a pre-eminent jurisdiction for global financial services.