Beyond anti-money laundering laws in the Caribbean

Come next month, the Jamaica data privacy law comes into force, requiring the registration of data processing activities. Although the law has been in place for a few years, it will now be actively monitored and policed by the Jamaican Data Privacy Authority. Amazingly, it seems to have caught several people and businesses off guard, which is ironic given that the government has been telegraphing their intentions for some time. Under this law, data controllers (entities legally authorized to determine how personally identifiable information should be processed) and data processors (businesses who process such data on behalf of controllers) must register by this time or find themselves in breach of the law.

Given the prompt reaction by businesses regarding compliance and regulations pertaining to finance, I began to think about what compliance means in an increasingly data-driven world. Reflecting on the current iteration of the Barbados Association of Compliance Professionals, one gets the sense that the focus is predominantly on Anti-Money Laundering (AML). This perspective is especially evident given the association’s inception on April 8, 2013. It comprises compliance and other relevant professionals from various sectors, including supervision, banking, finance, corporate and trust services, legal services, and non-traditional business services with regulatory obligations under Barbadian law. The composition of the board may reflect a cultural aspect that hasn’t evolved, considering its historical context, which has primarily focused on financial crimes where AML has been given the spotlight.

So, at a minimum, what should the composition of the region’s compliance regimes be? It’s clear that we need to demonstrate a view beyond AML as the most valued or revered discipline. We should also embrace cybersecurity, data privacy, and, of course, corporate governance—areas in which we’re seeing many fall short.

In 2022, Dr Gene Leon, president of the Caribbean Development Bank (CDB), spoke at the Caribbean Conference on Corruption, Compliance, and Cybercrime. Dr Leon emphasised the importance of good governance and compliance frameworks for the sustainable development of the Caribbean. In his opening statement, he said: “Effective compliance and governance are essential to build resilient economies that can withstand the challenges posed by financial crimes and cyber threats.”

At this point, Caribbean regional compliance associations should be fleshing out and giving leadership to the emerging regulated disciplines of cybersecurity, data privacy, and corporate governance. These are critical areas where we’re seeing many deficiencies. Given that most countries across the region have data privacy laws and a growing number of cyberattacks on government and critical infrastructure entities, it’s imperative to adapt.

Countries like the United States have implemented laws such as Executive Order 13636: Improving Critical Infrastructure Cybersecurity (2013) and the Cybersecurity Information Sharing Act (CISA) (2015). Similarly, the UK’s ‘Cyber Essentials’ is a government-backed cybersecurity certification scheme designed to help organisations protect themselves against the most common cyber threats. These examples underscore the need for robust frameworks that the Caribbean region can emulate to bolster its cybersecurity posture.

So, what might a new Caribbean compliance association’s programme look like? It will have four pillars:

Financial services: This pillar will focus on traditional compliance areas within the financial sector, including anti-money laundering (AML), counter-terrorism financing (CTF), and know-your-customer (KYC) regulations. Specialists will ensure financial institutions adhere to both local and international regulations to prevent financial crimes. Training and certification programmes will be provided to keep professionals updated on the latest regulatory changes and best practices.

Corporate governance: This pillar will promote ethical business practices, accountability, and transparency within organizations. Specialists will help companies develop and implement robust governance frameworks, ensuring that they meet legal requirements and industry standards. Programmes will cover board responsibilities, shareholder rights, stakeholder engagement, and internal control mechanisms.

Cyber risk: This pillar will address the increasing threats to cybersecurity and the need for comprehensive risk management strategies. Specialists will focus on identifying, assessing, and mitigating cyber risks to protect sensitive data and maintain business continuity. Training will include best practices for cybersecurity, incident response planning, and adherence to international standards such as ISO/IEC 27001.

Data privacy: This pillar will ensure organizations comply with data privacy laws and regulations, such as the Data Protection Act (Barbados) 2019 or General Data Protection Regulation (GDPR) and local data protection acts. Specialists will guide businesses in implementing data protection policies, conducting privacy impact assessments, and ensuring the lawful processing of personal data. Programs will provide up-to-date information on data privacy rights, data breaches, and the roles of data protection officers (DPOs).

By broadening the scope of compliance to include these critical areas, the Caribbean regional compliance associations can provide the necessary leadership and framework to ensure that businesses and government entities alike are well-protected and compliant with evolving regulations. This comprehensive approach not only meets regulatory requirements, which always advocate for trained specialists but also enhances the overall resilience and reputation of organisations across the region.

steven@dataprivacy.bb