Cayman Islands: Part II: CIMA Published New And Updated Rules And Statements Of Guidance (SOG) For Regulated Entities

In part two of this publication series, Appleby's regulatory team consider the updated corporate governance guidance for regulated funds, the revised rule and guidance on Cybersecurity and the revised guidance on record retention.

In the first instalment published on 22 May 2023, Appleby's regulatory team considered the revised Outsourcing guidance, the new rule and guidance on Internal Controls and the new rule on Corporate Governance (available here).

LEGAL BASIS

CIMA has the power to impose a fine or to take regulatory action against a regulated financial service provider where a regulatory breach of a "prescribed provision" as defined in the Monetary Authority (Administrative Fines) Regulations 2022 has been or is being committed. Prescribed provisions are found in a number of different pieces of financial services legislation and CIMA rules. Although none of the prescribed provisions explicitly refer to "statements of guidance" certain of them do cross-refer to CIMA published guidance. This means that while the statements of guidance do not have the force of law, they must be borne in mind from a regulatory compliance perspective.

RULE AND SOG ON CYBERSECURITY FOR REGULATED ENTITIES

The rule and statement of guidance on cybersecurity (Cybersecurity Measures) were updated to expand their scope to include virtual asset services providers (VASPs) and persons registered under the Securities Investment Business Act (as amended) (Registered Persons).

Helpfully the revisions clarify that the existing exemption already contained for funds registered under the Mutual Funds Act (as revised) (Mutual Funds Act) also applies to funds registered under the Private Funds Act (as revised) (Private Funds Act).

The Cybersecurity Measures require regulated entities to develop effective IT and cybersecurity governance and risk management frameworks. Regulated entities must incorporate the Cybersecurity Measures into their governance and risk management frameworks as CIMA require documentation to be produced as part of a CIMA inspection evidencing this. We understand that certain CIMA inspections have highlighted areas where a firm's IT and cybersecurity governance and risk management have fallen short of CIMA's expected standards.

As with other regulators, CIMA is aware of the ongoing challenges for regulated entities to protect against various attacks by cyber criminals. Consequently, CIMA has increased its supervisory oversight of IT and cyber security related risks in recent years. Regulated entities must ensure that their IT and cybersecurity policies and procedures are aligned with the Cybersecurity Measures, in particular with respect to an entity outsourcing some or all of its IT function externally to a third-party service provider or internally within its own group.

SOG ON THE NATURE, ACCESSIBILITY AND RETENTION OF RECORDS (RECORD RETENTION GUIDANCE)

The updates made to the Record Retention Guidance were relatively minor, primarily to clarify that the requirements apply to all regulated entities (including VASPs and Registered Persons). The Record Retention Guidance sets out CIMA's minimum expectations on the retention of all relevant documentation and records (e.g., regulatory correspondence, corporate documentation). CIMA expects regulated entities to have a clearly defined record management system in place.

There is some overlap between the Record Retention Guidance and the requirements of the Anti-Money Laundering Regulations and related AML-CTF guidance notes. Regulated entities annually reviewing and updating (if needed) their AML-CTF policies and procedures should also consider the Record Retention Guidance in the process, to ensure that all requirements are met.

CORPORATE GOVERNANCE SOG FOR CIMA REGULATED FUNDS

This corporate governance guidance sets out CIMA's minimum expectations for operators of regulated funds to ensure the funds operate efficiently and in the interests of investors. The key material change to this guidance has been to extend its scope to include a fund registered under the Private Funds Act.

The reference to "Governing Body" in the previously issued guidance has been replaced with the term "Operator" to refer to those individuals with primary responsibility for the governance of a regulated fund e.g., in the case of a company the board of directors and in the case of a partnership, the general partner.

The revised guidance includes new provisions relating to:

Composition of the Operator: there is no recommended minimum size other than the Operator shall have a diversity of skills, background, experience and expertise to ensure that there is an overall adequate level of competence at the level of the Operator.

Meetings: the Operator shall meet as often as is appropriate to fulfill its responsibilities effectively and prudently, reflective of the nature, complexity, structure, nature of business and risk profit of the regulated fund. In any event, the Operator shall at a minimum meet twice per year.

Service providers: the Operator shall take steps to conduct the required due-diligence on any proposed service provider and post-appointment will always be responsible for monitoring the performance of that service provider, including its compliance with applicable laws etc.

Conflicts of interest: Operators must maintain a written conflicts of interest policy reflective of the size, complexity, structure, nature of business and risk profile of the operations of the business of the regulated fund. To the extent possible, this may be documented in the fund's constitutional documents, offering documents or marketing materials. Alternatively, it can be documented as a standalone written conflicts of interest policy.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.