New and updated CIMA published rules and statements of guidance

Key points to note

• in summary, the revised SOG do not impose any new material regulatory requirements although CIMA provides helpful drafting clarifications of its expectations in its feedback statement;
• the main takeaway is that outsourcing remains a key supervisory focus for CIMA;
• CIMA expects all regulated entities to have a written outsourcing policy duly approved by its governing body; and
• CIMA expects the revised SOG to be implemented by a regulated entity with immediate effect.

Relevance to regulated entities

As outsourcing is such a key supervisory focus for CIMA and other international financial regulators, a regulated entity must always apply the requirements contained in the SOG when engaging any outsourced service provider.

Key points to note

• the rule applies minimum standards to a regulated entity and should be applied proportionally based on the size, complexity, structure, nature of business and risk profile of a business;
• the governing body of the regulated entity must prescribe a minimum time commitment expected on an annual basis to the Non-Executive Directors at the beginning of each financial year;
• the rules clarifies that investment funds can depending on the size, complexity, structure, nature of business and risk profile discharge the requirement to establish sub-committee(s) in circumstances where it receives a report directly from the fund’s AML compliance officer, MLRO or another suitably qualified compliance or legal professional at least annually, and on an ad-hoc time basis, as required;
• the CG Rule requires all governing bodies of regulated entities to meet at least annually; and
• each director of the governing body must ensure that they are not subject to undue influence from senior management or other parties and that they have access to all relevant information about the regulated entity.

Relevance to regulated entities

From an enforcement perspective, it is worth noting that part VIA of the Monetary Authority Act gives CIMA the power to impose administrative fines upon CIMA regulated entities and individuals in relation to breaches of certain rules as currently set out in schedule 1 (Prescribed Provisions and Breach Categories) of the Monetary Authority (Administrative Fines) Regulations 2022 which currently lists various CIMA published rules e.g., rule on internal controls.

Key points to note

• CIMA has confirmed that current sector-specific guidance on internal controls will not be included in the appendices of this rule and SOG;
• as part of CIMA’s supervisory framework, CIMA expects regulated entities to have an effective internal controls framework in place, commensurate with the size, complexity, structure, nature of business and risk profile of the regulated entity. CIMA has clarified that this will be considered in assessing the effectiveness of controls implemented. For example, CIMA recognise that a “one size fits all” rule and SOG on Internal Controls is not workable, in particular, as a large majority of entities regulated by CIMA are investment funds which have no employees;
• CIMA have helpfully clarified certain definitions such as “Client” and added a definition for “Material Risk”; and
• CIMA continues to recognise that certain regulated entities will outsource day-to-day management (intragroup or externally to a third party service provider) and such arrangements need to comply with this rule and SOG.

Relevance to regulated entities

We recommend that regulated entities discuss their Internal Controls with their board/governing body and take proactive measures to ensure robust and appropriate governance and control arrangements are in place. Additionally, regulated entities should expect this to be an area of supervisory focus for CIMA, in particular, during the course of a CIMA inspection, and this should be given attention at board level and factored into regulatory and compliance planning going forward.