The new Corporate Governance Rule and Internal Controls Rule and SOG by the Cayman Islands Monetary Authority (CIMA) became effective on the 14th of October 2023 for regulated entities (ICR and SOG).
The following are the significant requirements and actionable items that must be considered for regulated entities by CIMA.
The Corporate Governance Rule
All CIMA regulated entities are required to adhere to the Corporate Governance Rule, which applies to the governing board (including the general partner, manager, or board of trustees, where applicable). It mandates that the corporate governance framework of the entity should align with its size, complexity, structure, nature of operations, and associated risks.
A regulated entity must ensure the establishment, execution, and maintenance of a comprehensive corporate governance framework that enables effective management oversight of the entity's operations while safeguarding the interests of stakeholders.
To comply with the Corporate Governance Rule, the governing board must, at a minimum, document and implement a framework that covers the following areas:
Objectives and Strategies of the Regulated Entity;
Structure and Governance of the Governing Body;
Appropriate Allocation of Oversight and Management Responsibilities;
Independence and Objectivity;
Collective Duties of the Governing Body;
Duties of Individual Directors of the Governing Body;
Appointments and Delegation of Functions and Responsibilities;
Risk Management and Internal Control Systems;
Conflicts of Interest and Code of Conduct;
Remuneration Policy and Practices;
Reliable and Transparent Financial Reporting;
Transparency and Communications;
Duties of Senior Management and Relations with CIMA.
Documentation: In order to exhibit successful adherence, it is important to maintain proper documentation such as records, policies, procedures, agreements, and minutes. It is advisable for the governing bodies of regulated entities to comprehend their responsibilities and assess their current corporate governance and internal controls frameworks.
Meetings: The body must hold a meeting yearly to assess the strategic goals and the policies of the organization that it oversees, as well as evaluating the governing body itself. The body also needs to review the implementation of internal controls, risk assessments, and management systems to ensure that risks are assessed, monitored, and minimized, and any identified weaknesses are addressed. Additionally, any conflicts of interest should be disclosed throughout the year and formally confirmed through an annual declaration.
Outsourcing and Reporting: The governing body bears the ultimate responsibility for delegated functions that are outsourced. Therefore, it is necessary to document and track such arrangements. In addition, the governing should establish a compliance committee or designate a person to provide regular reporting on all compliance issues. The specific method for fulfilling this requirement, such as receiving annual reports from the anti-money laundering compliance officer or a qualified compliance or legal professional, depends on factors such as the size, structure, complexity, and risk profile of the business. The governing body should also ensure that financial reporting is carried out by an audit committee, or a similar entity appointed by them.
The ICR and SOG
CIMA's Internal Controls Rule and SOG lays out guidelines that regulated entities must follow, regarding their organizational structure, operations, and internal controls, to achieve efficient business operations, protect client assets, maintain accurate records, and submit reliable financial, operational, and regulatory reports.
The rule has two parts:
Part I comprising general regulations and guidelines that apply to all regulated entities and address five internal control components:
Risk Identification and Assessment;
Control Activities and Segregation of Duties;
Information and Communication;
Monitoring Activities and Correcting Deficiencies.
Part II includes specific regulations and guidelines for trust companies, company managers, corporate services providers, and securities investment businesses.
CIMA acknowledges that regulated entities might outsource some business functions and delegate responsibilities to service providers. In such cases, the regulated entity could depend on the service providers' internal controls system as long as they prove to CIMA that it fulfils the ICR's and SOG's requirements. If a regulated entity is part of a group, they may rely on the group's internal controls system provided that all requirements are met. The regulated entity's size, complexity, structure, nature of business, and risk profile should be considered to determine this.
Documentation: Since the governing body is ultimately accountable for establishing and maintaining a sufficient and efficient internal control system, it is crucial to document it to track effectiveness and prove compliance.
Training: It's necessary to continuously update the training and skills of staff to adhere to the entity's operational and internal control policies and procedures, as well as comply with relevant legal and regulatory requirements.
Committees: It's essential for the governing body to provide evidence of having installed both an audit committee (or its equivalent) and a compliance committee.
Outsourcing: To comply with the ICR and SOG, the governing body should ensure that the service provider's systems meet the necessary standards. This can be achieved by obtaining confirmation from the service provider and conducting a thorough analysis of the relevant Cayman Islands and their local requirements.
Risk Assessment: To achieve their goals, regulated entities must identify and evaluate all significant risks that may hinder their progress. Additionally, they should develop control activities that ward off such potential risks. These would be drafting policies that outline expected conduct and procedures that implement those guidelines.
If you require assistance in relation to the above and/or would like to discuss anything further, please do not hesitate to contact firstname.lastname@example.org or your usual A.C.T. contact.