About Loeb Smith
People
Sectors
Expertise
News and Announcements
News
Legal Insights
Briefing Notes
Media
Locations
Subscribe Newsletters
ContactThe EU’s General Data Protection Regulation (“GDPR”) applies to offshore investment funds with European investors. The Cayman Islands Data Protection Act, 2021 (“DPA”), regulates the processing of all personal data. Inspired by the UK’s Data Protection Act, the DPA includes provisions very similar to GDPR (together “Data Protection Laws”), with certain notable differences.
Even though the DPA applies generally to the processing of personal data and not just to investment funds, within this context and as part of the subscription process, investors are required to provide a government-issued photo ID, source of funds and wealth, contact details, payment details, and tax residence information, or even additional information about employment, dependents, income and investment objectives (the “Investor Personal Data”), which are processed and stored by or on behalf of the investment fund (the “Fund”) and/or by one or more of the service providers to the Fund. Some of the processing may be done by different parties in various jurisdictions.
Within the context of investment funds, the Administrator, Transfer Agent, Distributor, and the Investment Manager of a Fund may fall within the definition of a Data Controller or Data Processor. To ensure compliance with GDPR and/or DPA, the Fund’s Board of Directors should review the contractual arrangements with these parties and may need to appoint a Data Protection Officer. As a reminder, the Board of Directors of the Fund is required to supervise third party service providers and ensure that there are sufficient measures in place to protect Investor Personal Data. Privacy Notices in the Fund’s offering documents would need to be updated to ensure that investors are fully aware of where their Personal Data is being processed, by whom and for what purpose.
For ease of reference, a brief comparison between GDPR and the DPA is included below.
Comparison of the Main Provisions
| GDPR | DPA | |
| Personal Data | Any information relating to an individual who can be identified, directly or indirectly, from that data (including online identifiers such as IP addresses and cookies may qualify as personal data if they are capable of being linked back to the individual). | Same as GDPR |
| Data Controller | The person who, alone or with others, determines the purposes, conditions and means of the processing of Personal Data.
|
DPA applies to any Data Controller in respect of Personal Data (a) established and processed in the Cayman Islands; or (b) processed in the Cayman Islands otherwise than for the purposes of transit . |
| Privacy Notice | At the time of collection of the data, individuals must be informed of the purposes and detail behind the processing, the details of transfers of data and any security and technical safeguards in place. This information is generally provided in a separate privacy notice. | Same as GDPR |
| Right to Access | Individuals have the right to obtain confirmation that their Personal Data is processed and to access it. Data Controllers must respond within a month of the access request. A copy of the information must be provided free of charge. | Same as GDPR, but the DPA permits a reasonable fee to be charged. |
| Retention Period | Personal data should not be kept for longer than is necessary to fulfil the purpose for which it was originally collected. Controllers must inform data subjects of the period of time (or reasons why) data will be retained on collection. | Not a requirement under DPA. However, as with the GDPR, if there is no compelling reason for a Data Controller to retain Personal Data, a data subject can request its secure deletion.
|
| Right to Erase | Should the individual subsequently wish to have their data removed and the Personal Data is no longer required for the reasons for which it was collected, then it must be erased. Data Controllers must notify third party processors or sub-contractors of such requests. | Same as GDPR |
| Transfers | International transfers permitted to third party processors or between members of the same group. | Same as GDPR. |
| Data Security | Minimum security measures are prescribed as pseudonymisation and encryption, ability to restore the availability and access to data, regularly testing, assessing and evaluating security measures. | Appropriate technical and organisational measures must be taken to prevent unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data . |
| Data Processors | Security requirements are extended to data processors as well as Data Controllers | There is no liability for processors under the DPA. However, they may be held liable based on contract or tort law. |
| Data Breach | Data Controllers must notify the regulatory authority of Personal Data breaches without undue delay and, where feasible, not later than 72 hours after having become aware of a breach. | In the event of a Personal Data breach, the Data Controller must, “without undue delay” but no longer than five (5) days after the Data Controller should have been aware of that breach, notify the Ombudsman and any affected individuals |
| Breach Notice | The notification should describe the nature of the breach, its consequences, the measures proposed or taken by the Data Controller to address the breach, and the measures recommended by the Data Controller to the individual concerned to mitigate the possible adverse effects of the breach. | Same as GDPR. |
| Right to be Forgotten | An individual may request the deletion or removal of Personal Data where there is no compelling reason for its continued processing. | The DPA contains a similar right, although this is expressed as a general right of “erasure”. Under the UK’s Data Protection Act, the right is limited to processing that causes unwarranted and substantial damage or distress. Under the DPA this threshold is not present. As with the GDPR, if there is no compelling reason for a data controller to retain Personal Data, a data subject can request its secure deletion. |
| Right to Object | An individual has the right at any time to require a Data Controller to stop processing their Personal Data for the purposes of direct marketing. There are no exemptions or grounds to refuse. A Data Controller must deal with an objection to processing for direct marketing at any time and free of charge. | Same as GDPR. |
| Direct Marketing and Consent | The Data Controller must inform individuals of their right to object “at the point of first communication” and in a privacy notice. For any consent to be valid it needs to be obvious what the data is going to be used for at the point of data collection and the Data Controller needs to be able to show clearly how consent was gained and when it was obtained. | Including an unsubscribe facility in each marketing communication is recommended best practice. If an individual continues to accept the services of the Data Controller without objection, consent can be implied. |
| Data Processors | The GDPR sets out more detailed statutory requirements to apply to the controller/processor relationship, and to processors in general. Data Processors are now directly subject to regulation and are prohibited from processing Personal Data except on instructions from the Data Controller. | Best practice would always be to put in place a contract between a controller and processor. Essentially, the contract should require the Data Processor to level-up its policies and procedures for handling personal data to ensure compliance with the DPA. Use of sub-contractors by the service provider should be prohibited without the prior approval of the Data Controller. |
| Data Protection Officer | Mandatory if the core activities of the Data Controller consist of processing operations which require large scale regular and systematic monitoring of individuals or large scale processing of sensitive Personal Data. | Does not require the appointment, although this is recommended best practice. |
| Penalties | Two tiers of sanctions, with maximum fines of up to €20 million or 4% of annual worldwide turnover, whichever is greater. | Refusal to comply or failure to comply with an order issued by the Ombudsman is an offence. Penalties are also included for unlawful obtaining or disclosing Personal Data. Directors may be held liable under certain conditions. The Data Controller is liable on conviction to a fine up to CI$100,000 (approx. US$122,000) or imprisonment for a term of 5 years or both. Monetary penalty orders of an amount up to CI$250,000 (US$304,878.05) may also be issued against a Data Controller. |
Further Assistance
This publication is not intended to be a substitute for specific legal advice or a legal opinion. If you require further advice relating to the matters discussed in this Briefing, please contact us. We would be delighted to assist.
E: gary.smith@loebsmith.com
E: robert.farrell@loebsmith.com
E: ivy.wong@loebsmith.com
E. elizabeth.kenny@loebsmith.com
E: cesare.bandini@loebsmith.com
E: vivian.huang@loebsmith.com
E: faye.huang@loebsmith.com
E: max.lee@loebsmith.com
E: frost.wu@loebsmith.com
Share to WeChat
“Scan QR Code” in WeChat and tap ··· to share.
The Cayman Islands Monetary Authority (“CIMA”) has recently published its annual AML/CFT Activity Report for 2022 which can be viewed at the following link: AML CFT Activity Report 2022 V1 (cima.ky) and there are a few points worth noting. In particular:
- CIMA carried out 88 Inspections in 2022 compared to 161 in 2021; only 3 of those inspections resulted in letters of no findings, which means that 85 resulted in findings (i.e. clarifications and/or remediations were required);
- CIMA issued 2 administrative fine penalties totaling CI$378,670.72 (approx. US$461,793. 56) relating to breaches of the Anti-Money Laundering Regulations (2023 Revision);
Securities Investment Businesses remains a key priority for CIMA and appropriate resources should be allocated to cover AML/CFT compliance; - VASPs are also identified as having medium to high overall inherent risk and are likely to be closely scrutinized by CIMA as they become more widespread – particular attention should be placed on compliance with the ‘Travel Rule’;
risk assessments (risk-based approach) remain important to demonstrate compliance (or lack thereof); - Client Due Diligence/Know Your Client documents ought to be checked and updated to ensure they are consistent with policies and procedures; and
documented corporate governance and leaving a paper trail behind any AML/CFT-related decisions being taken by the board is very important.
We have advised and guided clients in both 2022 and 2023 through a number of CIMA inspections resulting in either no findings or in findings but with no administrative fine penalties from CIMA. Should your Cayman Islands company become the subject of an upcoming inspection from CIMA, please do not hesitate to get in touch with us.
Further Assistance
This publication is not intended to be a substitute for specific legal advice or a legal opinion. If you require further advice relating to the matters discussed in this Briefing, please contact us. We would be delighted to assist.
E: gary.smith@loebsmith.com
E: robert.farrell@loebsmith.com
E: ivy.wong@loebsmith.com
E: elizabeth.kenny@loebsmith.com
E: cesare.bandini@loebsmith.com
E: vivian.huang@loebsmith.com
E: faye.huang@loebsmith.com
E: max.lee@loebsmith.com
E: frost.wu@loebsmith.com
Share to WeChat
“Scan QR Code” in WeChat and tap ··· to share.
Introduction
Loeb Smith is pleased to welcome Ivy Wong to the firm as Senior Legal Director for its Corporate practice in the Hong Kong office, where her practice focuses on advising multi-national corporations and conglomerates, shareholders, investment funds, financial institutions, banks, public and private companies, as well as high net worth individuals. Ivy will become a Partner of the firm pending upon registration as a foreign lawyer in Hong Kong.
Ivy is a seasoned corporate transactional lawyer who is qualified in multiple jurisdictions and has led many unprecedented and high-profile cross-border transactions that won industry awards and recognitions. She was previously a Partner and had served as a regional steering committee chair and a global steering committee member for her practice at one of the largest international law firms. Her practice is primarily focused on cross-border corporate work, capital markets, corporate finance, merger and acquisition, investments and restructuring, compliance and general commercial work.
Ivy is highly experienced in communicating with regulators, providing solutions that meet both regulatory and commercial needs, and advising board members and senior management in their corporate planning and transactions. With a track record serving a wide range of industry sectors, multiple of Ivy’s recent transactions are in healthcare, biotech and life sciences sectors.
Ivy has been shortlisted for Euromoney Asia Women in Business Law Award for consecutive years and is named one of the leading practitioners in Hong Kong. She is a Vice Chair of the Social Sustainability Committee of The British Chamber of Commerce in Hong Kong and sits on the judging panel for the Hong Kong Corporate Governance and ESG Excellence Awards co-conferred by the Chamber of Hong Kong Listed Companies. She has been quoted and interviewed by international media and journals including Bloomberg, CNBC, The Wall Street Journal, The Economist and Reuters.
“Ivy’s addition adds greater depth and expertise to the firm’s corporate, capital markets and M&A practice in Hong Kong for its international clients and enables the firm to better serve its clients and their business needs in Asia, practice areas that continue to be a strategic priority for our firm.” said Gary Smith, Partner. “Ivy is an experienced corporate transactional lawyer with a strong market profile, and a wonderful addition to our growing team in Hong Kong focused on offshore legal expertise and outstanding client service.”
“I am pleased to have the opportunity to join the team, which is young and energetic, with a clear vision for growth and commitment to the region. What sets it apart is also its expertise in the virtual assets space that is both cutting edge and fast-growing, and also its responsiveness to the regulatory changes and delivery of timely and quality advice to its clients.” said Ivy Wong.
Share to WeChat
“Scan QR Code” in WeChat and tap ··· to share.
Introduction
We are pleased to announce our firm’s recognition on The ALB Fast 30 list which reinforces the firm’s growth strategy in Asia by providing high quality technical legal advice and commercial solutions, outstanding client services, and continuous drive to stay at the forefront of the fast-changing business and technological landscapes in Asia.
We value that ALB has adequately appreciated the rapid and robust growth of Loeb Smith in the past year. We appreciate the recognition alongside other law firms in the region and are proud to have achieved a steady growth across our jurisdictions and practice areas and look forward to upholding the Loeb Smith standards of excellence.
Loeb Smith Attorneys is one of the leading offshore corporate law firms considered one of the most active and knowledgeable firms for advising on offshore investment funds formation and launch of all asset classes including public securities, private equity, venture capital, real estate, and virtual assets. Other areas of strength and growth are advising on M&A, Finance, Corporate Restructurings, Capital Markets, Regulatory Compliance, Investments, Logistics, Shipping and Aviation.
Considered a leading law firm in the Fintech and Blockchain Technology space, Loeb Smith also advises on token issuances, application for VASP licences for Web 3.0 businesses, Metaverse infrastructure and other virtual asset service providers, and utilising Cayman and BVI structures to develop virtual asset platforms for DAOs. Loeb Smith’s clients are investment managers, financial institutions, onshore counsels, and HNWIs who the firm advises on day-to-day legal issues and complex, strategic matters.
Some of our firm’s recent accolades are: winning Leading Firm in Client Satisfaction 2024 award by Legal 500; ranked in Investment Funds category and listed as one of the Firms To Watch for Corporate & Commercial by Legal 500 in 2024; named as Recommended Firm by IFLR 1000 from 2021 to 2024; named in Offshore Client Choice List by Asian Legal Business from 2021 to 2023; ranked amongst Top 30 Asia’s Fastest Growing Law Firms by Asian Legal Business in 2023 and 2024; ranked in The A-List: Top Offshore Lawyers by Asia Business Law Journal in 2022 and 2024; named as one of the ALB Hong Kong Firms to Watch 2024; winning Best Law Firm – Fund Domicile at Hedgeweek US Emerging Manager Awards 2023 and 2024; winning Best Law Firm – Fund Domicile at Private Equity Wire US Emerging Manager Awards 2023 and 2024; winning Best Law Firm – Fund Domicile at Private Equity Wire US Awards 2023; and winning The Best Offshore Law Firm – Client Service at With Intelligence HFM Asia Services Awards 2024.
Share to WeChat
“Scan QR Code” in WeChat and tap ··· to share.
On 31 August 2022, the Cayman Islands introduced the restructuring officer regime by making certain amendments to the Cayman Islands Companies Act. Please see link below to an article first published in IFC Review where Gary Smith and Robert Farrell consider the benefits of the Regime now that it has been in place for nearly twelve months, and how it is operating in practice. Cayman Islands:
Share to WeChat
“Scan QR Code” in WeChat and tap ··· to share.
We are pleased to share that Loeb Smith Attorneys has won Best Law Firm – Fund Domicile at the Private Equity Wire US Awards!
It feels great to see that our team’s relentless determination for successful closures has been recognized multiple times this year, including for the second time at Private Equity Wire Awards 2023. For the service provider categories, the nominated firms were based on a widespread survey of more than 500 GPs and other key industry participants. Congratulations to our Investment Funds team for their top notch legal advice and for working seamlessly between our offices in the BVI, the Cayman Islands and Hong Kong!
We thank Private Equity Wire and the clients for their vote!
Find out more here: https://awards.privateequitywire.co.uk/us-awards
Share to WeChat
“Scan QR Code” in WeChat and tap ··· to share.
Why and Where Do You Need to Be Offshore?
Wendy Au of Loeb Smith Hong Kong office shared her insight with SS&C Intralinks on what makes offshore destinations attractive to Asia-based fund managers with some key considerations and the different options available for fund domiciles.
Check out further at:
Share to WeChat
“Scan QR Code” in WeChat and tap ··· to share.
Good News
Following the conclusion of the FATF’s most recent plenary on 23 June 2023, the FATF has determined that the Cayman Islands has substantively fulfilled its action plan. Therefore, subject only to the completion of an on-site visit by the FATF later this year, which forms part of the FATF’s standard process for removing a jurisdiction from the Monitoring List, the Cayman Islands will be delisted. As the EU has previously confirmed that it does not require the Cayman Islands to take additional steps beyond those set out in the FATF’s action plan to facilitate removal from the EU AML List, it is widely expected that this will automatically follow. See more in our Article published in the Hong Kong Lawyer.
https://www.hk-lawyer.org/content/cayman-islands-satisfies-fatf-action-plan
Share to WeChat
“Scan QR Code” in WeChat and tap ··· to share.
The Virtual Assets Service Providers Act 2022 (the “VASP Act”) was enacted in the British Virgin Islands (“BVI”) on 1 February 2023. It creates the legal framework for the registration and supervision of Virtual Assets Service Providers (“VASPs”) operating in and from within the BVI.
Through the provisions of the VASP Act, the BVI Financial Services Commission (the “BVI FSC”) is established as the competent authority for the supervision of persons engaging in any virtual assets service.
Summary
For those persons who have been carrying on a virtual asset service prior to the coming into force of the VASP Act on 1 February 2023, the VASP Act allows a transitioning period of 6 months (ending therefore on 31 July 2023) within which they can either (1) submit an application to the BVI FSC to be registered as VASPs or (2) cease their VASP- related operations altogether.
Who is a Virtual Asset Service Provider?
By way of recap, the VASP Act defines a VASP as a virtual asset service provider who provides, as a business, a virtual assets service and is registered under the VASP Act to conduct one or more of the following activities or operations for or on behalf of another person:
- exchange between virtual assets and fiat currencies;
- exchange between one or more forms of virtual assets;
- transfer of virtual assets, where the transfer relates to conducting a transaction on behalf of another person that moves a virtual asset from one virtual asset address or account to another;
- safekeeping or administration of virtual assets or instruments enabling control over virtual assets;
- participation in, and provision of, financial services related to an issuer’s offer or sale of a virtual asset; or
- perform such other activity or operation as may be specified in the VASP Act or as may be prescribed by regulations made by the BVI FSC in connection with the VASP Act.
A virtual asset is a digital representation of value that can be digitally traded or transferred, and can be used for payment or investment purposes, but specifically does not include the following:
- digital representations of fiat currencies and other assets or matters specified in the guidelines which have been, and may in the future be, published in conjunction with the VASP Act; or
- a digital record of a credit against a financial institution of fiat currency, securities or other financial assets that can be transferred digitally.
Services Expressly Caught by the VASP Act
The following services have been included in a non-exhaustive list of virtual assets services and are, as such, regulated by the VASP Act when carried out on behalf of another person:
- hosting wallets or maintaining custody or control over another person’s virtual asset, wallet or private key;
- providing financial services relating to the issuance, offer or sale of a virtual asset;
- providing kiosks (such as automatic teller machines, bitcoin teller machines or vending machines) for the purpose of facilitating virtual assets activities through electronic terminals to enable the owner or operator of the kiosk to actively facilitate the exchange of virtual assets for fiat currency or other virtual assets; or
- engaging in any other activity that, under issued guidelines, constitutes the carrying on of the business of providing virtual asset service or issuing virtual assets or being involved in virtual asset activity.
Services Specifically Excluded from the Application of the VASP Act
Rather helpfully, the VASP Act also sets out a non-exhaustive list of some of the services which are specifically excluded from its remit and these are as follows:
- providing ancillary infrastructure to allow another person to offer a service, such as cloud data storage provider or integrity service provider responsible for verifying the accuracy of signatures;
- providing service as a software developer or provider of un-hosted wallets whose function is only to develop or sell software or hardware;
- solely creating or selling a software application or virtual asset platform;
- providing ancillary services or products to a virtual asset network, including the provision of services like hardware wallet manufacturer or provider of un-hosted wallets, to the extent that such services do not extend to engaging in or actively facilitating as a business any of those services for or on behalf of another person;
- solely engaging in the operation of a virtual asset network without engaging or facilitating any of the activities or operations of a VASP on behalf of customers;
- providing closed-loop items that are non-transferable, non-exchangeable and which cannot be used for payment or investment purposes; and
- accepting virtual assets as payment for good or services (such as the acceptance of virtual assets by a merchant when effecting the purchase of goods).
Registration Requirement and Timeline
Any person who wishes to carry on in or from within the BVI the business of providing a virtual asset service must be registered with the BVI FSC. For those persons, however, who have been carrying on a virtual asset service prior to the coming into force of the VASP Act on 1 February 2023, the VASP Act allows a transitioning period of 6 months (ending therefore on 31 July 2023) within which they can either submit an application to the BVI FSC to be registered as VASPs, migrate away from the BVI, or cease their VASP-related operations altogether.
As the transitional framework period for VASP registration expires on 31 July 2023 all VASPs operating from the BVI who have not yet applied for registration/licensing with the BVI FSC need to act NOW.
Further Assistance
This publication is not intended to be a substitute for specific legal advice or a legal opinion. If you require further advice relating to the Virtual Assets Service Providers Act, please contact us. We would be delighted to assist.
E: gary.smith@loebsmith.com
E: robert.farrell@loebsmith.com
E: elizabeth.kenny@loebsmith.com
E: cesare.bandini@loebsmith.com
E: vivian.huang@loebsmith.com
E: faye.huang@loebsmith.com
Share to WeChat
“Scan QR Code” in WeChat and tap ··· to share.
We are excited to announce that Loeb Smith has been shortlisted in two categories for the prestigious With Intelligence HFM Asian Services Awards:
With Intelligence HFM Asian Services Awards recognize and celebrate excellence in hedge fund services. The jury will announce the results at the ceremony taking place in Hong Kong on September 6, 2023, based on the following criteria:
- Commercial success and business growth
- Demonstration of product or service innovation
- Description of future product or service development possibilities
- Positive customer feedback via submitted testimonials
We would like to thank first of all our team in Hong Kong and across Cayman Islands and the BVI for their constant dedication, our clients in Asia for their support, and the HFM Asian Services jury members for this nomination!
This follows the recognition of Asian Legal Business’ Offshore Client Choice List 2023 for the third consecutive year as well as our Hong Kong Partner Peter Vas being awarded with ALB Hong Kong Rising Stars 2023.
For more information please visit https://hfmasiaservicesawards.com/hfmasianservicesawards2023/en/page/2023-shortlist
Share to WeChat
“Scan QR Code” in WeChat and tap ··· to share.
