Photograph of Cape Cod lighthouse at Cayman Island
Article

Cayman island corporate governance rule now in effect

On Oct.14, 2023, the Cayman Island Monetary Authority’s (CIMA) new Rule on Corporate Governance for Regulated Entities (the ruling) went into effect. First published in April 2023, the Corporate Governance Rule applies to all CIMA regulated entities. A separate statement of guidance was published by CIMA providing guidance specifically registered mutual funds and private funds, as well as on internal controls for regulated entities. Any managers who have related entities should also review those publications as they provide specific details regarding industry-related requirements and operational functions. The statement of guidance is not meant to be exhaustive like the ruling, but minimum requirements the entities should follow.

The primary change from the original corporate governance guidance are the rules noted are binding obligations subject to fines or regulatory actions. The previous rules provided minimum expectations in respect to governance. Per CIMA’s new guidance, Corporate Governance Rule Section 5.1.1, “A regulated entity must establish, implement, and maintain a corporate governance framework which provides for sound and prudent management oversight of the regulated entity’s business and protects the legitimate interests of relevant stakeholders.”

At a minimum, a governing body (i.e. Board of Director’s or those Charged with Governance of the entity's under the regulation) under the new guidance is responsible for ensuring the following areas for the regulated entity are implemented:

“a) Objectives and strategies of the regulated entity;

b) Structure of the governance of the Governing Body;

c) Appropriate allocation of oversight and management responsibilities;

d) Independence and objectivity;

e) Collective duties of the Governing Body;

f) Duties of individual directors of the Governing Body;

g) Appointments and delegation of functions and responsibilities; Rule on Corporate Governance for Regulated Entities Cayman Islands Monetary Authority;

h) Risk management and internal control systems;

i) Conflicts of interest and code of conduct;

j) Remuneration policy and practices;

k) Reliable and transparent financial reporting;

l) Transparency and communications;

m) Duties of Senior Management; and

n) Relations with the authority.”

The ruling provides detailed guidance on how each area would be appropriately implemented by the governing body. The governing body is responsible for maintaining these standards and ensuring sufficient management oversight is implemented. These rules should be familiar for fund managers who are registered investment advisors under the PCAOB and SEC. However, managers should become familiar with CIMA’s specific ruling on corporate governance to ensure that all Cayman regulated funds are following compliance. Any update in documented policies should be revised to implement considerations of the ruling.

Key areas the manager’s should also take note of section 5.9.1, which states governing bodies, “must provide oversight in respect of the design and implementation of sound risk management and internal control systems and functions.”

Another key area is 5.12.1. about reliable and transparent financial reporting. “The Governing Body must ensure there is a reliable financial reporting process for internal, public, and supervisory purposes that is supported by clearly defined roles and responsibilities of the Governing Body, Senior Management and the external auditor. 

5.12.2. The Governing Body must establish an audit committee or equivalent that is commensurate with the size, complexity, structure, nature of business and risk profile of the regulated entity.” The audit committee is ultimately responsible for the oversight of the financial reporting process, including appointing auditors and ensuring compliance with all regulatory matters, ensuring internal controls are in place.  

CIMA seems to be taking their guidance around corporate governance much more seriously. Implementing the specific rulings along with increased monitoring to ensure compliance is met across all entities under the regulations. These updated laws are meant to protect investors and make sure fund managers are held accountable for implementing a proper corporate governance structure consistently across all entities regulated under CIMA.  

For further details of each specific area and to ensure your entity is in compliance with the requirements please review the guidance here: CIMA Rule on Corporate Governance for Regulated Entities and Statement of Guidance - Corporate Governance for Mutual Funds and Private Funds  

An overview on the Cayman island rule and statement of guidance for internal controls for regulated entities 

Another ruling came out on Oct, 14, 2023, CIMA new Rule and Statement of Guidance on Internal Controls for Regulated Entities went into effect. First published in April 2023, the rule and statement of guidance applies to all CIMA regulated entities.  

Another ruling came out on Oct, 14, 2023, CIMA new Rule and Statement of Guidance on Internal Controls for Regulated Entities went into effect. First published in April 2023, the rule and statement of guidance applies to all CIMA regulated entities.  

Rule and SOG internal controls for regulated entities 

CIMA explicitly states in section 2.1 within the guidance, the purpose is “To set out the Authority’s rules and guidance on the requirements for regulated entities with regards to internal controls. In general, internal controls represent the way a regulated entity is structured and operated so that reasonable assurance is provided of:  

a) the ability to carry on its business in an orderly and efficient manner; 

b) the safeguarding of its and its clients’ assets;  

c) the maintenance of proper records and the reliability of financial, operational, and regulatory reports; and  

d) the compliance with all applicable acts and regulatory requirements.” 

CIMA further acknowledges the internal control needs will differ depending on the size and nature of the entities. The use of third-party services is also common for back-office, payroll, and accounting functions. Which is why the rule is not meant to be exhaustive but requirements and minimum expectations that all entities should follow and consider for their operations. Below is a brief overview of the Rule and Statement of Guidance for Internal Controls for Regulated Entities directly from CIMA’s website. 

Part I – Rules and Guidelines for all regulated entities 

Tone at the top is first, with internal controls primarily the responsibility of governance, and senior management plays a key role in implementing an effective control environment. The governing body should be responsible for ensuring an effective system of internal controls is in place, review overall business strategies, and demonstrate independence. Senior management is responsible for implementing the policies approved by the governing body to implement a system of internal controls.

“Regulated entities are required to demonstrate a commitment to integrity and ethical values.” (Sec. 8.10) The governing body and senior management are responsible for establishing a high standard of ethical values and emphasize the importance of internal controls. A regulated entity is to hold persons assigned responsibility over controls. These control owners are held accountable and consistent performance reviews should be held. If services are outsourced management should implement an evaluation process to ensure the third party maintains effective controls over those activities.

A regulated entities risk assessment should be a process of identifying potential risks to the entity’s objectives, operations, processes, and procedure. Once identified management should determine how these risks are to be mitigated by the entity’s control environment, this process should be continuous and constantly evaluated. The assessment should cover all material risks including the risk of fraud.

Regulated entities should develop and document control activities that achieve the mitigation of the risks assessed. Controls should be defined at every level of entities operations and for every department. Control procedures should be assessed and verified they are working appropriately. The governing body and management should review reports on control assessments to ensure controls are operating effectively. Control procedure examples found in Section 10 include: 

  • High level reviews by management and those charged with governance 
  • Activity level controls 
  • Physical controls 
  • Controls over compliance and non-compliance on exposure limits 
  • Transaction authorizations and approvals 
  • Verification and reconciliations 
  • Supervisory controls 

Like control requirements seen in the United States and Europe, a regulated entity’s segregation of duties is based on the size, nature, risks, and complexity of the entity. The use of a Third-party Administrator provides an independent performance of accounting and back-office functions, mitigating the risk of fraud. Management should take steps to ensure the administrator is following proper control and segregation of duty policies.

Regulated entities must be able to obtain, generate, and ensure the use of information from both internal and external sources that is relevant, dependable, timely, and accurate. Accuracy of information provides effective internal control functions. Controls should be implemented for information used for external reporting purposes, internal operations, supporting documentation for recordkeeping, compliance, or documentation of controls, ensuring it is complete and accurate.

 “Regulated entities must establish and implement appropriate processes for monitoring the effectiveness of their internal controls.” (Sec. 12.1) These processes should be an ongoing part of daily activities but also periodically as appropriate. An internal audit function or independent audit of the control system should be conducted as applicable. The internal audit function should report directly to the governing body and findings communicated to management.  

Control deficiencies, whether reported internally or through the internal audit function, should be communicated timely to the appropriate parties and a corrective action plan put in place. Reporting should be dependent on the level of deficiency set by the governing body. Management should develop a way of tracking the action plan and implementation of updated control procedures if necessary. 

Part II – Sector Specific Rules and Guidelines  

In Part II, CIMA provides operational control guidance to specifically trust companies, company managers, and corporate service providers in Section A, and more specifically securities investment businesses (of funds) in Section B. These controls offer further guidance for the specialized areas.  

Part II – sector specific rules and guidelines
In Part II, CIMA provides operational control guidance to specifically trust companies, company managers, and corporate service providers in Section A, and more specifically securities investment businesses (of funds) in Section B. These controls offer further guidance for the specialized areas. 

In summary of what is in the guidance the operational controls that these entities are:

  • Segregation of client assets and those of the regulated entities
  • Client money should have distinct accounts from other clients and the regulated entities
  • Written disclosures of terms for client money held
  • Proper reconciliation of client accounts is performed
  • Authorization/dual signing approval for client transactions
  • Implemented procedures to prevent misuse of client funds

Summary of operations controls guidance:

  • Policies and procedures to prevent conflicts of interest
  • Establishing procedures for discretionary authority over client accounts
  • Establish and maintain review procedures to ensure accuracy and prevent errors for trades or client transactions
  • Proper segregation of client funds and the regulated entity

CIMA has received recommendations to implement more structured laws and regulations for entities in the past from watchdog groups. The guidance in place was considered relaxed. The Cayman Islands’ regulatory body appears to be listening, by implementing these specific rulings along with increased monitoring to ensure compliance is met across all entities under the regulations. These updated laws are meant to protect investors and make sure fund managers are held accountable for implementing the internal controls necessary to meet the size and operations of the entity. The updated rulings should make it easier for managers to implement their controls consistently across all funds. It may take some initial work to ensure all new requirements are in place. Managers who are also registered investment advisor in the United Stated should be able to reconcile the controls in place and documented for US requirements to the Cayman guidance.  

For more details on each specific area the Rule and Statement of Guidance for Internal controls of regulated entities covers please see the Rule link here: Rule and Statement of Guidance - Internal Controls for Regulated Entities  

Abstract building with lined beams
Next up

Key highlights from the SEC 2023 enforcement report