Internal Controls (Effective: October 2023)

CIMA has issued a Rule and Statement of Guidance on Internal Controls for Regulated Entities, providing comprehensive guidance on the implementation of effective internal controls for regulated entities in the Cayman Islands.
The purpose of the present guidance is to establish the Authority’s requirements and minimum expectations on internal controls for all entities regulated by the Authority under the regulatory acts. The guidance will come into effect on 13 October 2023.
The guidance is broadly organized into two parts: Part I sets out the general rules and guidelines for all regulated entities covering each of the five components of internal control, namely: Control Environment; Risk Identification and Assessment; Control Activities and Segregation of Duties; Information and Communication; and Monitoring Activities and Correcting Deficiencies. Part II sets out additional sector-specific rules and guidelines for trust companies, company managers, and corporate services providers, as well as securities investment business.
—
Part I starts with CIMA recognizing that internal control needs may vary from one regulated entity to another commensurate with the size, complexity, structure, nature of business, and risk profile of its operations. Hence, this Rule and Statement of Guidance is not intended to be exhaustive. The guidance is consistent with Section 34 of the Monetary Authority Act, which provides that the Authority may issue or amend rules or statements of principle or guidance concerning the conduct of licensees and their officers and employees, and any other persons to whom and to the extent that the regulatory acts may apply.
The guidance emphasizes the importance of internal control deficiencies and the need for regulated entities to ensure that internal control deficiencies, whether identified by business line, internal audit, or other control personnel, are reported in a timely manner to the appropriate parties for corrective action. All significant internal control deficiencies must be reported to Senior Management and the Governing Body of the regulated entity. The internal audit function is an important part of the ongoing monitoring of the system of internal controls because it provides an independent assessment of the adequacy of, and compliance with, the established policies and procedures. The internal audit function should report directly to the Governing Body or its audit committee, and communicate its findings and recommendations to Senior Management.
Regulated entities should have adequate procedures for receiving, recording, investigating, monitoring, and resolving complaints from customers. A high number of complaints may indicate inadequate controls or undue override of existing controls. Therefore, regulated entities should ensure that complaints are handled fairly, consistently, and timely and that necessary action is taken to sufficiently remediate the control deficiencies highlighted by the complaints. The Governing Body and Senior Management should periodically receive reports summarizing key control issues that have been identified and/or complaints received. The reports should include information such as nature of issues, volume, frequency, how the issues were addressed, and disciplinary actions undertaken for non-compliance.
—
Part II of the guidance on the one hand provides sector-specific rules and guidelines for trust companies, company managers, and corporate services providers in the fiduciary service sector. It emphasizes the importance of segregating client assets and client money, along with the need for written disclosure, prompt reconciliation of client money accounts, and appropriate authorization for client money pay-outs.
On the other hand, concerning the securities investment business sector, the guidance focuses on minimizing conflicts of interest, effective communication of terms for discretionary authority, establishment of procedures to prevent errors and fraud, and also a clear segregation of client funds and property. These regulations aim to ensure compliance and ethical conduct within the trust and securities investment sectors.