A reminder that the Cayman Islands Monetary Authority’s (CIMA) new Rule on Corporate Governance for Regulated Entities (Corporate Governance Rule) and Rule and Statement of Guidance on Internal Controls for Regulated Entities (Internal Controls Rule and SOG) comes into effect on 14 October 2023. If not already done, certain steps should be undertaken for any entities regulated by CIMA (regulated entities).

The key requirements and action points are summarised below.

For an overview of CIMA’s Statement of Guidance – Corporate Governance – Mutual Funds and Private Funds (Corporate Governance SOG), please see our previous Alert here.

Key Sections:

• The Corporate Governance Rule
• The Corporate Governance Rule – Action Points
• The Internal Controls Rule and SOG
• The Internal Controls Rule and SOG – Action Points

Applicability and Effective Date

The Corporate Governance Rule and Internal Controls Rule and SOG will apply to all CIMA regulated entities (including regulated mutual funds and private funds) with effect from 14 October 2023. Unlike the Corporate Governance SOG which provides guidance on CIMA’s minimum expectations in respect of sound and prudent fund governance, the Corporate Governance Rule and Internal Controls Rule and SOG will create binding obligations, a breach of which may lead to the imposition of fines or other regulatory action.

The Corporate Governance Rule

The Corporate Governance Rule applies to the governing body (board, general partner, manager or board of trustees, as applicable) of all CIMA regulated entities and provides that an entity’s corporate governance framework should be commensurate with the size, complexity, structure, nature of business and risk profile of its operations.

A regulated entity must establish, implement, and maintain a corporate governance framework which provides for sound and prudent management oversight of the regulated entity’s business and protects the legitimate interests of relevant stakeholders.

At a minimum, the governing body is responsible for documenting and implementing a corporate governance framework that addresses the following:

• Objectives and Strategies of the Regulated Entity;
• Structure and Governance of the Governing Body;
• Appropriate Allocation of Oversight and Management Responsibilities;
• Independence and Objectivity;
• Collective Duties of the Governing Body;
• Duties of Individual Directors of the Governing Body;
• Appointments and Delegation of Functions and Responsibilities;
• Risk Management and Internal Control Systems;
• Conflicts of Interest and Code of Conduct;
• Remuneration Policy and Practices;
• Reliable and Transparent Financial Reporting;
• Transparency and Communications;
• Duties of Senior Management; and
• Relations with CIMA.

The Corporate Governance Rule – Action Points

Documentation: In order to demonstrate effective compliance, it will be necessary to ensure that documentary records, policies, procedures, agreements and minutes are kept. It is recommended that the governing bodies of regulated entities understand their obligations and review their existing corporate governance and internal controls frameworks in advance of the deadline of 14 October 2023.

Meetings: The governing body is required to meet at least once per year to review the regulated entity’s strategic objectives and policies and the composition of the governing body itself, including the completion of performance self-assessments. The governing body should also review the implementation of internal controls, risk assessments and management systems to ensure risks are measured, monitored and mitigated and any identified deficiencies are addressed. Any conflicts of interest should be declared throughout the year and confirmed in writing via annual declaration.

Outsourcing and Reporting: Where functions are outsourced, ultimate responsibility for such delegated functions remains with the governing body. Accordingly, such arrangements must be documented and monitored. The governing body must also put in place a compliance committee or person to report on all compliance matters. Depending upon the size, complexity, structure of business and risk profile of the business, this requirement may be discharged by reports (at least annually) from the entity’s anti-money laundering compliance officer or another suitably qualified compliance or legal professional. Financial reporting should be completed by an audit committee (or equivalent) appointed by the governing body.

The Internal Controls Rule and SOG

The Internal Controls Rule and SOG sets out CIMA’s rules and guidance in respect of the way regulated entities are structured and operated in order to ensure the ability to carry on business in an orderly and efficient manner, the safeguarding of its and its clients’ assets, the maintenance of proper records and the reliability of financial, operational and regulatory reports, and compliance with all applicable acts and regulatory requirements. It is comprised of two parts. Part I sets out general rules and guidelines applicable to all regulated entities in respect of five components of internal control, namely:

• Control Environment;
• Risk Identification and Assessment;
• Control Activities and Segregation of Duties;
• Information and Communication; and
• Monitoring Activities and Correcting Deficiencies.

Part II contains sector specific rules and guidelines for trust companies, company managers, corporate services providers and securities investment business (not covered in this Alert).

CIMA recognises that regulated entities may outsource some business functions and delegate certain duties to service providers. In such circumstances it is possible to rely on the service providers’ system of internal controls provided that that the governing body can demonstrate to CIMA that such system of internal controls meets the requirements of the Internal Controls Rule and SOG. Similarly, a regulated entity, if part of a group, may rely on the group’s system of internal controls provided all requirements are satisfied. To determine this, consideration should be given to the size, complexity, structure, nature of business and risk profile of the regulated entity.

The Internal Controls Rule and SOG – Action Points

Documentation: As the governing body is ultimately responsible for ensuring that an adequate and effective system of internal control is established and maintained, documentation of the same is important to monitor effectiveness and demonstrate compliance.

Training: Staff training and skills must be regularly updated to ensure compliance with the entity’s operational and internal control policies and procedures and compliance with all applicable legal and regulatory requirements.

Committees: The governing body must be able to demonstrate it has implemented both a compliance committee and an audit committee (or equivalent).

Outsourcing: The governing body must take steps to ensure a service provider’s systems meet the requirements of the Internal Controls Rule and SOG, for example, by obtaining confirmation from the relevant service provider to this effect and ensuring a suitable gap-analysis of the Cayman Islands and locally-applicable requirements is undertaken.

Risk Assessment: Regulated entities must identify and assess all material risks to the achievement of their objectives. They must also develop control activities to mitigate identified risks through policies that establish what is expected and procedures that put the policies into action.

[View source.]