Cayman island corporate governance rule now in effect

The primary change from the original corporate governance guidance are the rules noted are binding obligations subject to fines or regulatory actions. The previous rules provided minimum expectations in respect to governance. Per CIMA’s new guidance, Corporate Governance Rule Section 5.1.1, “A regulated entity must establish, implement, and maintain a corporate governance framework which provides for sound and prudent management oversight of the regulated entity’s business and protects the legitimate interests of relevant stakeholders.”

At a minimum, a governing body (i.e. Board of Director’s or those Charged with Governance of the entity's under the regulation) under the new guidance is responsible for ensuring the following areas for the regulated entity are implemented:

“a) Objectives and strategies of the regulated entity;

b) Structure of the governance of the Governing Body;

c) Appropriate allocation of oversight and management responsibilities;

d) Independence and objectivity;

e) Collective duties of the Governing Body;

f) Duties of individual directors of the Governing Body;

g) Appointments and delegation of functions and responsibilities; Rule on Corporate Governance for Regulated Entities Cayman Islands Monetary Authority;

h) Risk management and internal control systems;

i) Conflicts of interest and code of conduct;

j) Remuneration policy and practices;

k) Reliable and transparent financial reporting;

l) Transparency and communications;

m) Duties of Senior Management; and

n) Relations with the authority.”

The ruling provides detailed guidance on how each area would be appropriately implemented by the governing body. The governing body is responsible for maintaining these standards and ensuring sufficient management oversight is implemented. These rules should be familiar for fund managers who are registered investment advisors under the PCAOB and SEC. However, managers should become familiar with CIMA’s specific ruling on corporate governance to ensure that all Cayman regulated funds are following compliance. Any update in documented policies should be revised to implement considerations of the ruling.

Key areas the manager’s should also take note of section 5.9.1, which states governing bodies, “must provide oversight in respect of the design and implementation of sound risk management and internal control systems and functions.”

Another key area is 5.12.1. about reliable and transparent financial reporting. “The Governing Body must ensure there is a reliable financial reporting process for internal, public, and supervisory purposes that is supported by clearly defined roles and responsibilities of the Governing Body, Senior Management and the external auditor. 

5.12.2. The Governing Body must establish an audit committee or equivalent that is commensurate with the size, complexity, structure, nature of business and risk profile of the regulated entity.” The audit committee is ultimately responsible for the oversight of the financial reporting process, including appointing auditors and ensuring compliance with all regulatory matters, ensuring internal controls are in place.  

CIMA seems to be taking their guidance around corporate governance much more seriously. Implementing the specific rulings along with increased monitoring to ensure compliance is met across all entities under the regulations. These updated laws are meant to protect investors and make sure fund managers are held accountable for implementing a proper corporate governance structure consistently across all entities regulated under CIMA.  

For further details of each specific area and to ensure your entity is in compliance with the requirements please review the guidance here: CIMA Rule on Corporate Governance for Regulated Entities and Statement of Guidance - Corporate Governance for Mutual Funds and Private Funds  

Tone at the top is first, with internal controls primarily the responsibility of governance, and senior management plays a key role in implementing an effective control environment. The governing body should be responsible for ensuring an effective system of internal controls is in place, review overall business strategies, and demonstrate independence. Senior management is responsible for implementing the policies approved by the governing body to implement a system of internal controls.

“Regulated entities are required to demonstrate a commitment to integrity and ethical values.” (Sec. 8.10) The governing body and senior management are responsible for establishing a high standard of ethical values and emphasize the importance of internal controls. A regulated entity is to hold persons assigned responsibility over controls. These control owners are held accountable and consistent performance reviews should be held. If services are outsourced management should implement an evaluation process to ensure the third party maintains effective controls over those activities.

A regulated entities risk assessment should be a process of identifying potential risks to the entity’s objectives, operations, processes, and procedure. Once identified management should determine how these risks are to be mitigated by the entity’s control environment, this process should be continuous and constantly evaluated. The assessment should cover all material risks including the risk of fraud.

Regulated entities should develop and document control activities that achieve the mitigation of the risks assessed. Controls should be defined at every level of entities operations and for every department. Control procedures should be assessed and verified they are working appropriately. The governing body and management should review reports on control assessments to ensure controls are operating effectively. Control procedure examples found in Section 10 include: 

• High level reviews by management and those charged with governance 
• Activity level controls 
• Physical controls 
• Controls over compliance and non-compliance on exposure limits 
• Transaction authorizations and approvals 
• Verification and reconciliations 
• Supervisory controls 

Like control requirements seen in the United States and Europe, a regulated entity’s segregation of duties is based on the size, nature, risks, and complexity of the entity. The use of a Third-party Administrator provides an independent performance of accounting and back-office functions, mitigating the risk of fraud. Management should take steps to ensure the administrator is following proper control and segregation of duty policies.

Regulated entities must be able to obtain, generate, and ensure the use of information from both internal and external sources that is relevant, dependable, timely, and accurate. Accuracy of information provides effective internal control functions. Controls should be implemented for information used for external reporting purposes, internal operations, supporting documentation for recordkeeping, compliance, or documentation of controls, ensuring it is complete and accurate.

 “Regulated entities must establish and implement appropriate processes for monitoring the effectiveness of their internal controls.” (Sec. 12.1) These processes should be an ongoing part of daily activities but also periodically as appropriate. An internal audit function or independent audit of the control system should be conducted as applicable. The internal audit function should report directly to the governing body and findings communicated to management.  

Control deficiencies, whether reported internally or through the internal audit function, should be communicated timely to the appropriate parties and a corrective action plan put in place. Reporting should be dependent on the level of deficiency set by the governing body. Management should develop a way of tracking the action plan and implementation of updated control procedures if necessary. 

Part II – Sector Specific Rules and Guidelines  

In Part II, CIMA provides operational control guidance to specifically trust companies, company managers, and corporate service providers in Section A, and more specifically securities investment businesses (of funds) in Section B. These controls offer further guidance for the specialized areas.  

In summary of what is in the guidance the operational controls that these entities are:

• Segregation of client assets and those of the regulated entities
• Client money should have distinct accounts from other clients and the regulated entities
• Written disclosures of terms for client money held
• Proper reconciliation of client accounts is performed
• Authorization/dual signing approval for client transactions
• Implemented procedures to prevent misuse of client funds

Summary of operations controls guidance:

• Policies and procedures to prevent conflicts of interest
• Establishing procedures for discretionary authority over client accounts
• Establish and maintain review procedures to ensure accuracy and prevent errors for trades or client transactions
• Proper segregation of client funds and the regulated entity