Following consultation, CIMA published its revised SOG on outsourcing together with a feedback statement setting out its rationale for some of the approaches taken by it in this SOG.

Key points to note

  • in summary, the revised SOG do not impose any new material regulatory requirements although CIMA provides helpful drafting clarifications of its expectations in its feedback statement;
  • the main takeaway is that outsourcing remains a key supervisory focus for CIMA;
  • CIMA expects all regulated entities to have a written outsourcing policy duly approved by its governing body; and
  • CIMA expects the revised SOG to be implemented by a regulated entity with immediate effect.

Relevance to regulated entities

CIMA has continuously emphasised that responsibility and accountability for effective oversight of all regulated activities, whether outsourced or not, ultimately rests with the governing body and senior management of the regulated entity.

As outsourcing is such a key supervisory focus for CIMA and other international financial regulators, a regulated entity must always apply the requirements contained in the SOG when engaging any outsourced service provider.


Corporate Governance Rule

CIMA’s new rule on corporate governance (CG Rule) comes into effect six months from the date of publication i.e., 14 October 2023. The CG Rule also applies to Mutual Funds and Private Funds and should be read in conjunction with the SOG on Corporate Governance for Mutual Funds and Private Funds. The key change to that SOG is that Private Funds now fall within scope of the SOG on Corporate Governance which previously only applied to Mutual Funds.

Key points to note

  • the rule applies minimum standards to a regulated entity and should be applied proportionally based on the size, complexity, structure, nature of business and risk profile of a business;
  • the governing body of the regulated entity must prescribe a minimum time commitment expected on an annual basis to the Non-Executive Directors at the beginning of each financial year;
  • the rules clarifies that investment funds can depending on the size, complexity, structure, nature of business and risk profile discharge the requirement to establish sub-committee(s) in circumstances where it receives a report directly from the fund’s AML compliance officer, MLRO or another suitably qualified compliance or legal professional at least annually, and on an ad-hoc time basis, as required;
  • the CG Rule requires all governing bodies of regulated entities to meet at least annually; and
  • each director of the governing body must ensure that they are not subject to undue influence from senior management or other parties and that they have access to all relevant information about the regulated entity.

Relevance to regulated entities

The CG Rule seeks to address identified corporate governance deficiencies to be implemented in a manner that is proportionate and flexible enough to accommodate different business types and governance structures of a regulated entity.

From an enforcement perspective, it is worth noting that part VIA of the Monetary Authority Act gives CIMA the power to impose administrative fines upon CIMA regulated entities and individuals in relation to breaches of certain rules as currently set out in schedule 1 (Prescribed Provisions and Breach Categories) of the Monetary Authority (Administrative Fines) Regulations 2022 which currently lists various CIMA published rules e.g., rule on internal controls.


Internal Controls Rule and SOG

CIMA’s rule and SOG on internal controls comes into effect on 14 October 2023.

Key points to note

  • CIMA has confirmed that current sector-specific guidance on internal controls will not be included in the appendices of this rule and SOG;
  • as part of CIMA’s supervisory framework, CIMA expects regulated entities to have an effective internal controls framework in place, commensurate with the size, complexity, structure, nature of business and risk profile of the regulated entity. CIMA has clarified that this will be considered in assessing the effectiveness of controls implemented. For example, CIMA recognise that a “one size fits all” rule and SOG on Internal Controls is not workable, in particular, as a large majority of entities regulated by CIMA are investment funds which have no employees;
  • CIMA have helpfully clarified certain definitions such as “Client” and added a definition for “Material Risk”; and
  • CIMA continues to recognise that certain regulated entities will outsource day-to-day management (intragroup or externally to a third party service provider) and such arrangements need to comply with this rule and SOG.

Relevance to regulated entities

In recent months CIMA has commented that certain regulated entities have failed to have effective internal controls in place to identify deficiencies in its AML-CFT compliance programme and to be able to demonstrate sufficient oversight of the AML-CFT framework to ensure compliance. This is also particularly important where regulated entities have outsourcing arrangements in place in relation to the provision of AML Officers as CIMA expects regulated entities to have processes in place to oversee the activities outsourced to service providers.

We recommend that regulated entities discuss their Internal Controls with their board/governing body and take proactive measures to ensure robust and appropriate governance and control arrangements are in place. Additionally, regulated entities should expect this to be an area of supervisory focus for CIMA, in particular, during the course of a CIMA inspection, and this should be given attention at board level and factored into regulatory and compliance planning going forward.


How we can help

Our regulatory team has seen an increased demand from clients for advice and assistance on ensuring that their regulatory policies and procedures are aligned with CIMA’s expectations as contained in the related SOGs and CIMA’s regulatory requirements as contained in the related rules. We regularly conduct gap analysis against these CIMA requirements to be implemented by the regulated entity.

This information is provided for general information purposes only and is not intended to constitute legal advice. For specific regulatory advice, please contact any member of our regulatory team.

Twitter LinkedIn Email Save as PDF
More News