Part II: CIMA published new and updated rules and statements of guidance (SOG) for regulated entities.

Legal basis

CIMA has the power to impose a fine or to take regulatory action against a regulated financial service provider where a regulatory breach of a “prescribed provision” as defined in the Monetary Authority (Administrative Fines) Regulations 2022 has been or is being committed. Prescribed provisions are found in a number of different pieces of financial services legislation and CIMA rules. Although none of the prescribed provisions explicitly refer to “statements of guidance” certain of them do cross-refer to CIMA published guidance.  This means that while the statements of guidance do not have the force of law, they must be borne in mind from a regulatory compliance perspective.

Rule and SOG on Cybersecurity for regulated entities

The rule and statement of guidance on cybersecurity (Cybersecurity Measures) were updated to expand their scope to include virtual asset services providers (VASPs) and persons registered under the Securities Investment Business Act (as amended) (Registered Persons).

Helpfully the revisions clarify that the existing exemption already contained for funds registered under the Mutual Funds Act (as revised) (Mutual Funds Act) also applies to funds registered under the Private Funds Act (as revised) (Private Funds Act).

The Cybersecurity Measures require regulated entities to develop effective IT and cybersecurity governance and risk management frameworks. Regulated entities must incorporate the Cybersecurity Measures into their governance and risk management frameworks as CIMA require documentation to be produced as part of a CIMA inspection evidencing this. We understand that certain CIMA inspections have highlighted areas where a firm’s IT and cybersecurity governance and risk management have fallen short of CIMA’s expected standards.

As with other regulators, CIMA is aware of the ongoing challenges for regulated entities to protect against various attacks by cyber criminals. Consequently, CIMA has increased its supervisory oversight of IT and cyber security related risks in recent years. Regulated entities must ensure that their IT and cybersecurity policies and procedures are aligned with the Cybersecurity Measures, in particular with respect to an entity outsourcing some or all of its IT function externally to a third-party service provider or internally within its own group.

SOG on the Nature, Accessibility and Retention of Records (Record Retention Guidance)

The updates made to the Record Retention Guidance were relatively minor, primarily to clarify that the requirements apply to all regulated entities (including VASPs and Registered Persons). The Record Retention Guidance sets out CIMA’s minimum expectations on the retention of all relevant documentation and records (e.g., regulatory correspondence, corporate documentation). CIMA expects regulated entities to have a clearly defined record management system in place.

There is some overlap between the Record Retention Guidance and the requirements of the Anti-Money Laundering Regulations and related AML-CTF guidance notes.  Regulated entities annually reviewing and updating (if needed) their AML-CTF policies and procedures should also consider the Record Retention Guidance in the process, to ensure that all requirements are met.

Corporate Governance SOG for CIMA regulated funds

This corporate governance guidance sets out CIMA’s minimum expectations for operators of regulated funds to ensure the funds operate efficiently and in the interests of investors.  The key material change to this guidance has been to extend its scope to include a fund registered under the Private Funds Act.

The reference to “Governing Body” in the previously issued guidance has been replaced with the term “Operator” to refer to those individuals with primary responsibility for the governance of a regulated fund e.g., in the case of a company the board of directors and in the case of a partnership, the general partner.

The revised guidance includes new provisions relating to:

Composition of the Operator: there is no recommended minimum size other than the Operator shall have a diversity of skills, background, experience and expertise to ensure that there is an overall adequate level of competence at the level of the Operator.

Meetings: the Operator shall meet as often as is appropriate to fulfill its responsibilities effectively and prudently, reflective of the nature, complexity, structure, nature of business and risk profit of the regulated fund. In any event, the Operator shall at a minimum meet once per year.

Service providers: the Operator shall take steps to conduct the required due-diligence on any proposed service provider and post-appointment will always be responsible for monitoring the performance of that service provider, including its compliance with applicable laws etc.

Conflicts of interest: Operators must maintain a written conflicts of interest policy reflective of the size, complexity, structure, nature of business and risk profile of the operations of the business of the regulated fund. To the extent possible, this may be documented in the fund’s constitutional documents, offering documents or marketing materials. Alternatively, it can be documented as a standalone written conflicts of interest policy.

How we can help

Our regulatory team has seen increased demand from clients for advice on and assistance with ensuring that their regulatory policies and procedures are aligned with CIMA’s expectations. We will regularly conduct a gap analysis exercise for a client against the CIMA requirements to be implemented by that client. Please get in touch if we can be of assistance.

This information is provided for general information purposes only and is not intended to constitute legal advice. For specific regulatory advice, please contact any member of our regulatory team.