{"kind":"expression","expression":{"expr_id":"290","doc_id":"290","label":"SL 40 of 2023","is_as_enacted":"t","commenced_on":null,"superseded_on":null,"valid_from":null,"valid_to":null,"is_current":"t","incorporating":null,"akn_expr_iri":"\/akn\/ky\/act\/sl\/2023\/40\/eng@2023-01-01","akn_envelope":"{\"_canary\": {\"iri\": {\"work\": \"\/akn\/ky\/act\/sl\/2023\/40\", \"expression\": \"\/akn\/ky\/act\/sl\/2023\/40\/eng@2023-01-01\", \"manifestation\": \"\/akn\/ky\/act\/sl\/2023\/40\/eng@2023-01-01.pdf\"}, \"pdf\": {\"md5\": \"56c5a96cd5d8351a52fed3c42e16868a\", \"path\": \"\/Users\/q\/kyleg-data\/working\/SUBORDINATE\/2023\/2023-0040\/2023-0040_SL 40 of 2023.pdf\", \"pages\": 20, \"filename\": \"2023-0040_SL 40 of 2023.pdf\"}, \"errors\": [], \"extraction\": {\"model\": null, \"stats\": {\"word_count\": 6993, \"paragraph_count\": 13, \"text_char_count\": 50409}, \"usage\": null, \"method\": \"pymupdf-text\", \"version\": \"kyleg-akn-1.0\", \"extracted_at\": \"2026-06-22\"}, \"classification\": \"text_layer\", \"validation_flags\": [], \"docai_processor_id\": null}, \"akomaNtoso\": {\"act\": {\"body\": [{\"eId\": \"sec_n1\", \"num\": null, \"text\": \"Cayman Islands Monetary Authority Page 1 of 20 RULE AND STATEMENT OF GUIDANCE Internal Controls for Regulated Entities April 2023 RULE AND STATEMENT OF GUIDANCE \u2013 INTERNAL CONTROLS FOR REGULATED ENTITIES Cayman Islands Monetary Authority Page 2 of 20 Table of Contents A. TRUST COMPANIES, COMPANY MANAGERS AND CORPORATE SERVICES 1. 2. 3. 1.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_2\", \"num\": \"2.\", \"text\": \"RULE AND STATEMENT OF GUIDANCE \u2013 INTERNAL CONTROLS FOR REGULATED ENTITIES Cayman Islands Monetary Authority Page 3 of 20 List of Acronyms Acronym Definition AML\/CFT Anti-Money Laundering\/Countering the Financing of Terrorism CIMA Cayman Islands Monetary Authority CPF MAA Countering the Financing of Proliferation of weapons of mass destruction Monetary Authority Act Cayman Islands Monetary Authority Page 4 of 20 Rule and Statement of Guidance Internal Controls for Regulated Entities\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_1\", \"num\": \"1.\", \"text\": \"Introduction 1.1. This document establishes the Cayman Islands Monetary Authority\u2019s (the \u201cAuthority\u201d or \u201cCIMA\u201d) Rule and Statement of Guidance on Internal Controls for Regulated Entities. The Rule and Statement of Guidance should be read in conjunction with the following: a) CIMA-issued measures on: investment activities of insurers; responsibilities of insurance managers; risk management; corporate governance; market conduct; cybersecurity; records management and retention; internal audit; business continuity management; outsourcing; fitness and propriety; Anti-Money Laundering, Combating the Financing of Terrorism and Countering the Financing of Proliferation of weapons of mass destruction (\u201cAML\/CFT\/CPF\u201d); and b) any other regulatory instruments issued by the Authority from time to time. 1.2. This document is broadly organised as follows: Part I sets out the general rules and guidelines for all regulated entities covering each of the five components of internal control, namely: Control Environment; Risk Identification and Assessment; Control Activities and Segregation of Duties; Information and Communication; and Monitoring Activities and Correcting Deficiencies. Part II sets out additional sector-specific rules and guidelines. 2. Statement of Objectives 2.1. To set out the Authority\u2019s rules and guidance on the requirements for regulated entities with regards to internal controls. In general, internal controls represent the way a regulated entity is structured and operated so that reasonable assurance is provided of: a) the ability to carry on its business in an orderly and efficient manner; b) the safeguarding of its and its clients\u2019 assets; c) the maintenance of proper records and the reliability of financial, operational, and regulatory reports; and d) the compliance with all applicable acts and regulatory requirements. 2.2. The Authority recognises that internal control needs may vary from one regulated entity to another commensurate with the size, complexity, structure, nature of business and risk profile of its operations. Hence, this Rule and Statement of Guidance is not intended to be exhaustive; rather, it sets out the Authority\u2019s requirements and minimum expectations on internal controls.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_3\", \"num\": \"3.\", \"text\": \"Statutory Authority 3.1. This Rule and Statement of Guidance is consistent with Section 34 of the Monetary Authority Act (MAA) which provides that: RULE AND STATEMENT OF GUIDANCE \u2013 INTERNAL CONTROLS FOR REGULATED ENTITIES Cayman Islands Monetary Authority Page 5 of 20 \u201c34(1) After private sector consultation and consultation with the Minister charged with responsibility for Financial Services, the Authority may\u2013 (a) issue or amend rules or statements of principle or guidance concerning the conduct of licensees and their officers and employees, and any other persons to whom and to the extent that the regulatory acts may apply; (c) issue or amend rules or statements of principle or guidance to reduce the risk of financial services business being used for money laundering or other criminal purposes.\u201d 3.2. To highlight the Authority\u2019s internal control rules within this document, a rule is written in light blue and designated with the letter \u201cR\u201d in the right margin.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_4\", \"num\": \"4.\", \"text\": \"Scope of Application 4.1. The Rule and Statement of Guidance applies to all entities regulated by the Authority under the regulatory acts (as defined and amended under the MAA); subject to proportional application outlined in paragraphs 4.2 to 4.4 below. 4.2. The Authority recognises that regulated entities may outsource some business functions, delegating their duties for day-to-day management to service providers. A regulated entity may rely on the service providers\u2019 system of internal control over the outsourced activities provided that the Governing Body is satisfied and can demonstrate to the Authority that such system of internal control meets the requirements of this Rule and Statement of Guidance1. 4.3. Where a regulated entity is part of a group, it may rely on the group\u2019s system of internal control provided that the regulated entity's Governing Body is satisfied and can demonstrate to the Authority that such system of internal control meets the requirements of this Rule and Statement of Guidance. 4.4. In assessing whether the internal control system implemented or relied upon by a regulated entity meets the requirements of this Rule and Statement of Guidance, appropriate consideration should be given to the size, complexity, structure, nature of business, and risk profile of the regulated entity. 4.5. References to any act or regulation shall be construed as references to those provisions as amended, modified, re-enacted or replaced from time to time.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_5\", \"num\": \"5.\", \"text\": \"Definitions 5.1. The following definitions are provided for the purpose of this Rule: 5.2. The \u201cGoverning Body\u201d of a regulated entity is the Board of Directors where the entity is a corporation, the General Partner where the entity is a partnership, the manager (or equivalent) where the entity is a Limited Liability Company, and the Board of Trustees where the entity is a trust business. 5.3. \u201cSenior Management\u201d includes the most senior staff of the regulated entity, including heads of divisions, and any person who fulfils the functions of a senior manager, by whatever name called. Such functions include actively 1 Regulated entities utilising outsourcing should also refer to regulatory measures issued by the Authority on outsourcing, as applicable. RULE AND STATEMENT OF GUIDANCE \u2013 INTERNAL CONTROLS FOR REGULATED ENTITIES Cayman Islands Monetary Authority Page 6 of 20 participating in the daily planning, supervision, administration and execution of a regulated entity's objectives and strategy. 5.4. \u201cManagement\u201d means collectively, the Senior Management, middle-level management, and lower-level management of the regulated entity. 5.5. \u201cMaterial risks\u201d are those risks that could have a significant impact on the achievement of a regulated entity\u2019s objectives.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_6\", \"num\": \"6.\", \"text\": \"Enforcement 6.1. Whenever there has been a breach of the rules included in this document, the Authority\u2019s policies and procedures as contained in its Enforcement Manual will apply in addition to any other powers provided in the regulatory acts and the MAA.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_7\", \"num\": \"7.\", \"text\": \"Effective date 7.1. This Rule and Statement of Guidance will come into effect within six months of the date that it is published in the Gazette. RULE AND STATEMENT OF GUIDANCE \u2013 INTERNAL CONTROLS FOR REGULATED ENTITIES Cayman Islands Monetary Authority Page 7 of 20 PART I GENERAL RULES AND GUIDELINES FOR ALL REGULATED ENTITIES\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_8\", \"num\": \"8.\", \"text\": \"Control Environment The control environment refers to the set of standards, processes, and structures that provide a basis for carrying out effective internal control across the organization. An effective control environment creates the discipline that supports the assessment of risks necessary for the achievement of the entity\u2019s objectives, performance of control activities, and use of information and communication systems, as well as the conduct of monitoring activities. The control environment, therefore, has an extensive impact on the overall system of internal control. The Governing Body and Senior Management establish the tone at the top regarding the importance of internal controls and expected standards of conduct. Additionally, the Governing Body and Senior Management communicate their expectations concerning integrity and ethical values throughout the organization and, as appropriate, to outsourced service providers and business partners. The Role of the Governing Body 8.1. The Governing Body of a regulated entity is ultimately responsible for ensuring that an adequate and effective system of internal control is established, documented, and maintained. 8.2. The Governing Body is responsible for approving and periodically reviewing the overall business strategies and significant policies of the regulated entity. It must also have the responsibility of understanding the material risks faced by the regulated entity, setting acceptable levels for these risks, and ensuring that Senior Management takes the steps necessary to identify, measure, monitor and control these risks. Additionally, the Governing Body is responsible for approving the organizational structure and ensuring that Senior Management is monitoring the effectiveness of the internal control system. 8.3. The Governing Body of a regulated entity must demonstrate independence from its Management and exercise oversight of the development and performance of internal controls. Where it is not reasonably possible for the Governing Body to achieve independence from its Management, documented policies and procedures must be in place to identify and manage actual or perceived conflicts of interests. 8.4. The Governing Body provides governance, guidance, and oversight to Senior Management. Members of the Governing Body should be objective, capable, and inquisitive, with knowledge or expertise of the activities of and risks run by the regulated entity. As appropriate, the Governing Body should consist of some members who are independent from the daily management of the regulated entity. A strong, active Governing Body, particularly when coupled with effective upward communication channels and capable financial, legal, and internal audit functions, provides an important mechanism to ensure the correction of problems that may diminish the effectiveness of the internal control system. R R R RULE AND STATEMENT OF GUIDANCE \u2013 INTERNAL CONTROLS FOR REGULATED ENTITIES Cayman Islands Monetary Authority Page 8 of 20 8.5. The Governing Body should include in its activities (1) periodic discussions with Management concerning the effectiveness of the internal control system, (2) a timely review of evaluations of internal controls conducted by Management, internal auditors, and\/or external auditors, (3) periodic efforts to ensure that Management has promptly followed up on recommendations and concerns expressed by auditors and\/or supervisory authorities on internal control weaknesses, and (4) a periodic review of the appropriateness of the regulated entity\u2019s strategy. The Role of Senior Management 8.6. Senior Management should have responsibility for implementing strategies and policies approved by the Governing Body and developing processes that identify, measure, monitor and control risks incurred by the regulated entity. Additionally, Senior Management should have the responsibility of setting appropriate internal control procedures and monitoring the adequacy and effectiveness of the internal control system. 8.7. A regulated entity must establish and document its organisational structure including the appropriate functions, lines of reporting, responsibility, and authority. 8.7.1. Senior Management, with oversight from the Governing Body, should ensure that there are no gaps in reporting lines and that an appropriate and effective level of management control is extended to all levels of the organization and its various activities. The documented organisational structure should be kept current and any changes appropriately communicated. 8.7.2. Internal control responsibilities can generally be viewed as falling within three lines of defence against the failure to achieve the entity\u2019s objectives: a) Management and other personnel on the front line provide the first line of defence in day-to-day activities. They are responsible for maintaining effective internal control day to day; b) business-enabling functions such as risk, control, legal, and compliance provide the second line of defence as they clarify internal control requirements and evaluate adherence to defined standards; and c) Internal auditors provide the third line of defence in assessing and reporting on internal control and recommending corrective actions or enhancements for management consideration and implementation. 8.8. Members of Senior Management typically delegate duties for development of more specific internal control policies and procedures to those responsible for a particular business unit. Delegation is an essential part of management; however, it is important for Senior Management to oversee the managers to whom they have delegated these duties to ensure that they develop and enforce appropriate policies and procedures. R RULE AND STATEMENT OF GUIDANCE \u2013 INTERNAL CONTROLS FOR REGULATED ENTITIES Cayman Islands Monetary Authority Page 9 of 20 8.9. A regulated entity is required to demonstrate a commitment to ensuring that activities are conducted by persons with sufficient knowledge, skills, and experience commensurate with the size, complexity, structure, nature of business, and risk profile of its operations. 8.9.1. Staff training and skills should be regularly updated with adequate consideration given to training needs to ensure compliance with the regulated entity\u2019s operational and internal control policies and procedures; and compliance with all applicable legal and regulatory requirements to which the entity is subject. Control Culture 8.10. Regulated entities are required to demonstrate a commitment to integrity and ethical values. 8.10.1. An organization\u2019s control environment can also be seen as synonymous with its internal control culture. Elements of a strong culture, such as integrity and ethical values, effective oversight, accountability, and performance evaluations, make the control environment strong as well. Culture is part of an organization\u2019s control environment, but also encompasses elements of other components of internal control such as establishing effective policies and procedures, ease of security controls or access to information, and the responsiveness to the results of monitoring activities. 8.10.2. The Governing Body and Senior Management are responsible for promoting high ethical and integrity standards, and for establishing a culture for the regulated entity that emphasises and demonstrates the importance of internal controls to all levels of personnel, outsourced service providers, and business partners. This includes the ethical values that Management displays in their business dealings, both inside and outside the organization. The words, attitudes, and actions of the Governing Body and Senior Management affect the integrity, ethics, and other aspects of the regulated entities\u2019 control culture. 8.10.3. In reinforcing ethical values, regulated entities should avoid policies and practices that may inadvertently provide incentives or temptations for inappropriate activities. Examples of such policies and practices may include undue emphasis on performance targets or other operational results, particularly short-term ones that ignore longer-term risks; compensation schemes that overly depend on short-term performance; ineffective segregation of duties or other controls that could allow the misuse of resources or concealment of poor performance; and insignificant or overly onerous penalties for improper behaviours. 8.11. A regulated entity is required to hold persons who have been assigned responsibilities for internal controls accountable for performance of such responsibilities. 8.11.1. In varying degrees, internal control is the responsibility of everyone in the organization. Almost all employees produce information used in the internal control system or take other actions needed to implement internal controls. An essential element of a strong internal control system is the recognition by all employees of the need to carry out their R R R RULE AND STATEMENT OF GUIDANCE \u2013 INTERNAL CONTROLS FOR REGULATED ENTITIES Cayman Islands Monetary Authority Page 10 of 20 responsibilities effectively and to communicate to the appropriate level of management any problems in operations, instances of noncompliance with the entity\u2019s code of conduct, or other policy violations or illegal actions that are noticed. This can best be achieved when operational procedures are contained in clearly written documentation that is made available to all relevant personnel. It is essential that all personnel of the regulated entity understand the importance of internal control and are actively engaged in the internal control process. 8.11.2. Where outsourced service providers perform activities for or on behalf of the regulated entity, Management must implement a program, to evaluate the effectiveness of the system of internal control over such activities. Such a program should be commensurate to the nature, complexity and risk profile of the outsourced activity.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_9\", \"num\": \"9.\", \"text\": \"Risk Identification and Assessment 9.1. Risk assessment involves a dynamic and iterative process for identifying, measuring, and analysing risks to achieving an organization\u2019s objectives. It also forms a basis for determining how the risks will be managed. A precondition to risk assessment is the establishment of risk-related objectives, linked at different levels of the organization. Management should consider the suitability of the objectives established. Risk assessment also requires Management to consider the impact of possible changes in the external environment and within its own business model that may render the internal control system ineffective. 9.2. Regulated entities must specify their objectives with sufficient clarity to be able to identify and assess the risks relating to those objectives. 9.2.1. Objectives form the basis on which risk assessment approaches are implemented and performed and subsequent control activities are established. As part of internal control, Management may consider specifying and grouping objectives at all levels of the entity within broad categories relating to operations, reporting, and compliance. The grouping of objectives within these categories allows for the risks to the achievement of those objectives to be identified and assessed. 9.3. As appropriate, regulated entities must identify and assess all material risks to the achievement of their objectives and analyse the risks as a basis for determining how they should be managed. This assessment must cover all material risks (including the risk of fraud) facing the regulated entity on a consolidated basis. 9.3.1. Internal controls should be regularly reviewed and revised to appropriately address any new or previously uncontrolled risks. For example, as financial innovation occurs, a regulated entity needs to evaluate new financial instruments and market transactions and consider the risks associated with these activities. Often these risks can be understood when considering how various scenarios (economic and otherwise) affect the cash flows and earnings of financial instruments and transactions. Thoughtful consideration of the full range of possible problems, from customer misunderstanding to operational failure, will point to important control considerations. R R R RULE AND STATEMENT OF GUIDANCE \u2013 INTERNAL CONTROLS FOR REGULATED ENTITIES Cayman Islands Monetary Authority Page 11 of 20 9.3.2. Effective risk assessment identifies and considers internal factors (such as the complexity of the organization\u2019s structure, the nature of the organization\u2019s activities, the quality of personnel, organizational changes and employee turnover) as well as external factors (such as fluctuating economic conditions, changes in the industry and technological advances) that could adversely affect the achievement of its objectives. As applicable, this risk assessment should be conducted at the level of individual businesses, across the wide spectrum of activities and subsidiaries of the consolidated entity. Effective risk assessment addresses both measurable and non-measurable aspects of risks and weighs costs of controls against the benefits they provide. 9.3.3. The risk assessment process also includes evaluating the risks to determine which are controllable by the regulated entity and which are not. For those risks that are controllable, it is important for the regulated entity to assess whether to accept those risks or the extent to which it wishes to mitigate the risks through control procedures. For those risks that cannot be controlled, the regulated entity should decide whether to accept these risks or to withdraw from or reduce the level of business activity concerned.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_10\", \"num\": \"10.\", \"text\": \"Control Activities and Segregation of Duties Control Activities 10.1. Regulated entities must select and develop control activities (including general control activities over technology) that contribute to the mitigation of risks to the achievement of their objectives to acceptable levels. The control activities are deployed through policies that establish what is expected; and procedures that put policies into action. 10.2. An effective internal control system requires that an appropriate control structure is established, with control activities defined at every business level. These should include: top level reviews; appropriate activity controls for different departments or divisions; physical controls; checking for compliance with any established exposure limits and follow-up on non-compliance; a system of approvals and authorisations; a system of verifications and reconciliations and a system of supervisory controls. 10.3. Control activities are designed and implemented to address the risks that the regulated entity identified through the risk assessment process. These control activities may be preventive or detective in nature and may encompass a range of manual and automated activities. Control activities involve two steps: (1) the establishment of control policies and procedures; and (2) verification that the control policies and procedures are being complied with. Control activities are performed at all levels of the entity, at various stages within business processes, and over the technology environment. Examples of control activities include, but not limited to: a) Top level reviews \u2013 The Governing Body and Senior Management often request presentations and performance reports that enable them to review the entity\u2019s progress toward its goals. For example, Senior Management may review reports showing actual financial results to date versus the budget. Questions that Senior Management generates as a R RULE AND STATEMENT OF GUIDANCE \u2013 INTERNAL CONTROLS FOR REGULATED ENTITIES Cayman Islands Monetary Authority Page 12 of 20 result of this review and the ensuing responses of lower levels of management represent a control activity which may detect problems such as control weaknesses, errors in financial reporting or fraudulent activities. b) Activity controls - Department or division level management receives and reviews standard performance and exception reports on a daily, weekly, or monthly basis. Functional reviews occur more frequently than top-level reviews and usually are more detailed. As with the top-level review, the questions that are generated from reviewing the reports and the responses to those questions represent the control activity. c) Physical controls - Physical controls generally focus on restricting access to tangible assets, including cash and securities. The control activities include physical limitations, dual custody, and periodic reconciliation of inventories with control records. d) Compliance with exposure limits \u2013 Where applicable, the establishment of prudent limits on risk exposures is an important aspect of risk management. For example, compliance with limits for borrowers and other counterparties reduces concentration of credit risk and helps to diversify a regulated entity\u2019s credit risk profile. Consequently, an important aspect of internal controls is a process for reviewing compliance with such limits and follow-up on instances of noncompliance. e) Approvals and authorisations - Requiring approval and authorisation for transactions over certain limits ensures that an appropriate level of management is aware of the transaction or situation and helps to establish accountability. It also affirms that a transaction is valid (i.e., it represents an actual economic event or is within an entity\u2019s policy). f) Verifications and reconciliations - Verifications of transaction details and activities; and the verification of output of any risk management models used by the regulated entity are important control activities. Periodic reconciliations, such as those comparing cash flows to accounting records and statements, may identify activities and records that need correction. Consequently, the results of verifications and reconciliations should be reported to the appropriate levels of management whenever problems or potential problems are detected. g) Supervisory Controls - Supervisory controls assess whether other transaction control activities (i.e., activity controls, exposure limits, verifications, reconciliations, authorizations and approvals, physical control activities etc.) are being performed completely, accurately, and according to policy and procedures. 10.4. Control activities are most effective when they are viewed by Management and all other personnel as an integral part of, rather than an addition to, the daily activities of the regulated entity. When controls are viewed as an addition to the day-to-day activities, they are often seen as less important and may not be performed in situations where persons feel pressured to complete activities in a limited amount of time. In addition, controls that are an integral part of the daily activities enable quick responses to changing conditions and avoid unnecessary costs. As part of fostering the appropriate control culture within RULE AND STATEMENT OF GUIDANCE \u2013 INTERNAL CONTROLS FOR REGULATED ENTITIES Cayman Islands Monetary Authority Page 13 of 20 the regulated entity, Senior Management should ensure that adequate control activities are an integral part of the daily functions of all relevant personnel. 10.5. It is not sufficient for the regulated entity to simply establish appropriate policies and procedures for its various activities and divisions. Management, with Governing Body oversight, must   regularly ensure that all applicable divisions of the regulated entity follow such policies and procedures and determine that existing policies and procedures remain adequate. Segregation of Duties 10.6. A regulated entity must ensure that there is adequate segregation of duties commensurate with the size, complexity, structure, nature of business and risk profile of its operations. 10.7. Where segregation of duties is not reasonably practical, a regulated entity must establish and implement appropriate alternative control activities. 10.8. Segregation of duties is typically built into the selection and development of control activities. When selecting and developing control activities, Management should consider whether duties are appropriately divided or segregated among different persons to reduce the risk of error or inappropriate or fraudulent actions. Such consideration should include the legal environment, regulatory requirements, and stakeholder expectations. This segregation of duties generally entails dividing the responsibility for approving transactions, recording them, and handling the related asset(s). 10.8.1. In some instances, segregation of duties may not be practical, cost effective, or feasible. For instance, small entities may lack sufficient resources to achieve ideal segregation, and the cost of hiring additional staff may be prohibitive. In these situations, management should institute appropriate alternative control activities including, but not limited to: rotation of duties; increased Management oversight such as additional reviews and reconciliations; and third-party involvement, including outsourcing. 10.9. Assigning conflicting duties to one individual (for example, though not limited to, responsibility for both the front and back offices of a trading function) gives that person access to assets of value and the ability to manipulate financial data for personal gain or to conceal losses. Consequently, certain duties within a regulated entity\u2019s organization should be split, to the extent possible, among various persons to reduce the risk of manipulation of financial data or misappropriation of assets. There should also be periodic reviews of the responsibilities and functions of management and staff to identify areas of potential conflict of interest and ensure there are independent checks to minimise the risk of concealment of inappropriate actions.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_11\", \"num\": \"11.\", \"text\": \"Information and Communication 11.1. Regulated entities must obtain or generate, and then use relevant and quality information from both internal and external sources to support effective functioning of internal controls. R R R RULE AND STATEMENT OF GUIDANCE \u2013 INTERNAL CONTROLS FOR REGULATED ENTITIES Cayman Islands Monetary Authority Page 14 of 20 11.2. Information is necessary for an entity to carry out its internal control responsibilities to support the achievement of its objectives. Communication refers to the continual, iterative process of providing, sharing, and obtaining necessary information internally and externally. Internal communication is how information is disseminated throughout an entity, flowing up, down, and across the entity. It enables Senior Management to communicate internal control responsibilities across the entity. External communication enables inbound communications of relevant external information and outbound provision of information to external parties in response to requirements and\/or expectations. 11.3. From the regulated entity\u2019s perspective, for information to be useful, it must be relevant, reliable, timely, accessible, and provided in a consistent format. Information includes internal financial, operational and compliance data, as well as external market information about events and conditions that are relevant to decision making and functioning of internal controls. Internal information is part of a record-keeping process that should include established procedures for record retention. 11.4. An effective internal control system requires that there are reliable information systems in place that cover all significant activities of the regulated entity. These systems, including those that hold and use data in an electronic form, must be secure, monitored independently and supported by adequate contingency arrangements. 11.4.1. Regulated entities should be particularly aware of the organizational and internal control requirements related to processing information in an electronic form and the necessity to have an adequate audit trail. Management decision-making and effectiveness of internal control could be adversely affected by unreliable or misleading information provided by systems that are poorly designed and controlled. 11.4.2. Electronic information systems and the use of information technology have risks that must be effectively controlled by regulated entities to avoid disruptions to business and potential losses. Since transaction processing and business applications have expanded beyond the use of mainframe computer environments to distributed systems for missioncritical business functions, the magnitude of risks also has expanded. Controls over information systems and technology should include both general and application controls. General controls are controls over computer systems (for example, mainframe, client\/server, and enduser workstations) and ensure their continued, proper operation. General controls include in-house back-up and recovery procedures, software development and acquisition policies, maintenance (change control) procedures, and physical\/logical access security controls. Application controls are computerised steps within software applications and other manual procedures that control the processing of transactions and business activities. Application controls include, for example, edit checks and specific logical access controls unique to a business system. Without adequate controls over information systems and technology, including systems that are under development, regulated entities could experience loss of data and programs due to inadequate physical and electronic security arrangements, equipment or systems failures, and inadequate in-house backup and recovery procedures. RULE AND STATEMENT OF GUIDANCE \u2013 INTERNAL CONTROLS FOR REGULATED ENTITIES Cayman Islands Monetary Authority Page 15 of 20 11.4.3. In addition to the risks and controls above, inherent risks exist that are associated with the loss or extended disruption of services caused by factors beyond the regulated entity\u2019s control. In extreme cases, since the delivery of corporate and customer services represent key transactional, strategic, and reputational issues, such problems could cause serious difficulties for regulated entities and even jeopardise their ability to conduct key business activities. This potentially requires the regulated entity to establish business resumption and contingency plans using an alternate off-site facility, including the recovery of critical systems supported by an external service provider. The potential for loss or extended disruption of critical business operations requires an institution-wide effort on contingency planning, involving business management, and not focused on centralised computer operations. Business resumption plans should be periodically tested to ensure the plan\u2019s functionality in the event of an unexpected disaster. 11.5. Regulated entities must have effective internal channels for communicating information on objectives and responsibilities necessary to support the proper functioning of internal control. 11.5.1. An effective internal control system requires effective channels of communication to ensure that all staff fully understand and adhere to policies and procedures affecting their duties and responsibilities and that other relevant information is reaching the appropriate personnel. 11.5.2. Senior Management of regulated entities should establish effective paths of communication to ensure that the necessary information is reaching the appropriate people. This information relates both to the operational policies and procedures of the regulated entity as well as information regarding its actual operational performance. 11.5.3. The organizational structure of the regulated entity should facilitate an adequate flow of information - upward, downward and across the organization. A structure that facilitates this flow ensures that information flows upward so that the Governing Body and Senior Management are aware of the business risks and the operating performance of the entity. Information flowing down through an organization ensures that the entity\u2019s objectives, strategies, and expectations, as well as its established policies and procedures, are communicated to lower-level management and operations personnel. This communication is essential to achieve a unified effort by all employees to meet the regulated entity\u2019s objectives. Finally, communication across the entity is necessary to ensure that information that one business line or department knows can be shared with other affected divisions or departments.\", \"element\": \"section\", \"heading\": null}, {\"eId\": \"sec_12\", \"num\": \"12.\", \"text\": \"Monitoring Activities and Correcting Deficiencies 12.1. Regulated entities must establish and implement appropriate processes for monitoring the effectiveness of their internal controls. 12.2. Monitoring activities assess whether each of the five components of internal control is present and functioning effectively to support the achievement of the R R RULE AND STATEMENT OF GUIDANCE \u2013 INTERNAL CONTROLS FOR REGULATED ENTITIES Cayman Islands Monetary Authority Page 16 of 20 organization\u2019s objectives. Monitoring is a key input of the organization\u2019s assessment of the effectiveness of internal control. It also provides valuable support for assertions of the effectiveness of the system of internal controls. 12.3. As an entity\u2019s operating environment may be dynamic and rapidly evolving, it is important for regulated entities to continually monitor and evaluate their internal control systems in the light of changing internal and external conditions and enhance these systems as necessary to maintain their effectiveness. Senior Management should ensure that the monitoring function is properly defined and appropriate for size, complexity, structure, nature of business, and risk profile of the regulated entity. 12.4. Monitoring the effectiveness of internal controls can be done by personnel from several different areas, including the business function itself, financial control, and internal audit. For that reason, it is important that Senior Management makes clear which personnel are responsible for which monitoring functions. Monitoring of effectiveness of internal controls should be ongoing, as part of the daily activities of the regulated entity but could also include separate periodic evaluations as appropriate. The frequency of monitoring different activities of a regulated entity should be determined by considering the risks involved and the frequency and nature of changes occurring in the operating environment. 12.4.1. Ongoing monitoring activities can offer the advantage of quickly detecting and correcting deficiencies in the system of internal controls. Such monitoring is most effective when the system of internal controls is integrated into the operating environment and produces regular reports for review. Examples of ongoing monitoring include the review and approval of journal entries, and management review and approval of exception reports. 12.4.2. In contrast, separate evaluations typically detect problems only after the fact; however, separate evaluations allow an entity to take a fresh, comprehensive look at the effectiveness of the internal control system and specifically at the effectiveness of the monitoring activities. These evaluations can be done by personnel from several different areas, including the business function itself, financial control, and internal audit. Separate evaluations of the internal control system often take the form of self-assessments when persons responsible for a particular function determine the effectiveness of controls for their activities. The documentation and the results of the evaluations are then reviewed by Senior Management. All levels of review should be adequately documented and reported on a timely basis to the appropriate level of management. Internal Audit 12.5. As applicable, there should be an effective and comprehensive audit of the internal control system carried out by operationally independent, appropriately trained, and competent staff. 12.6. The internal audit function, as part of the monitoring of the system of internal control, should report directly to the Governing Body or its audit committee, and communicate its findings and recommendations to Senior Management. RULE AND STATEMENT OF GUIDANCE \u2013 INTERNAL CONTROLS FOR REGULATED ENTITIES Cayman Islands Monetary Authority Page 17 of 20 The internal audit function should have appropriate standing within the regulated entity to ensure senior management acts upon its recommendations. 12.7. The internal audit function is an important part of the ongoing monitoring of the system of internal controls because it provides an independent assessment of the adequacy of, and compliance with, the established policies and procedures. It is critical that the internal audit function is independent from the day-to-day functioning of the regulated entity and that it has access to all activities conducted by the regulated entity including, where applicable, at its branches and subsidiaries. Internal Control Deficiencies 12.8. Regulated entities must ensure that internal control deficiencies, whether identified by business line, internal audit, or other control personnel, are reported in a timely manner to the appropriate parties for corrective action. All significant internal control deficiencies must be reported to Senior Management and the Governing Body of the regulated entity. 12.9. Reporting on internal control deficiencies depends on the criteria established by Governing Body, Management, and other parties such as regulators and standard-setting bodies, as applicable. Results of ongoing and separate evaluations are assessed against those criteria to determine whom to report to and what is reported. 12.10. Once internal control deficiencies and ineffectively controlled risks are reported, it is important that Management corrects the deficiencies on a timely basis. Senior Management should be responsible for establishing an appropriate system to track internal control weaknesses to ensure that actions to rectify the weaknesses are carried out on a timely basis. As applicable, the internal audit function should conduct follow-up reviews or other appropriate forms of monitoring, and immediately inform Senior Management or the Governing Body of any uncorrected deficiencies. 12.11. Regulated entities should have adequate procedures for receiving, recording, investigating, monitoring, and resolving complaints from customers. A high number of complaints may indicate inadequate controls or undue override of existing controls. Therefore, regulated entities should ensure complaints are handled fairly, consistently, and timely and that necessary action is taken to sufficiently remediate the control deficiencies highlighted by the complaints. 12.12. The Governing Body and Senior Management should periodically receive reports summarising key control issues that have been identified and\/or complaints received. The reports should include information such as nature of issues, volume, frequency, how the issues were addressed, and disciplinary actions undertaken for non-compliance. Issues that appear to be immaterial when individual control processes are looked at in isolation, may well point to trends that could, when linked, become a significant control deficiency if not addressed in a timely manner. R RULE AND STATEMENT OF GUIDANCE \u2013 INTERNAL CONTROLS FOR REGULATED ENTITIES Cayman Islands Monetary Authority Page 18 of 20 PART II SECTOR-SPECIFIC RULES AND GUIDELINES A. TRUST COMPANIES, COMPANY MANAGERS AND CORPORATE SERVICES PROVIDERS 1. Introduction and Scope of Application 1.1 The purpose of this part of the Internal Controls Rules and Guidelines is to establish the obligations and provide some guidance specifically for the regulated entities in the fiduciary service sector. The regulated entities covered in Section A of Part II are (1) trust companies; (2) company managers; and (3) corporate services providers. 1.2 This sector-specific guidance addresses specialised areas that require more and\/or different guidance or explanation than dealt with in Part I of this Rule and Statement of Guidance and should be read in conjunction with Part I. 2. Definitions 2.1 The following definitions are provided for the purpose of this section: a. \u201cClient\u201d refers to a person with whom the regulated entity has entered an agreement to provide services constituting trust business or company management business. Where the regulated entity is a Trust, Restricted Trust or Nominee Trust, \u201cClient\u201d may also refer to a beneficiary of any trust administered by a Trust, Restricted Trust or Nominee Trust. b. \u201cClient money\u201d includes money that a regulated entity holds or receives on behalf of a Client or owes to a Client. 3. Operational Controls 3.1 As applicable, a Client\u2019s assets must be segregated from other Clients\u2019 assets and from those of the regulated entity. 3.2 Client money must be held in clearly segregated and distinct accounts from other Clients\u2019 accounts and any accounts of the regulated entity. 3.3 Regulated entities must ensure appropriate written disclosure to Clients on the terms upon which Client money is held. 3.4 Regulated entities must ensure that Client money accounts are reconciled promptly. 3.5 Appropriate authorisation and signing powers, at a minimum, dual signatory in the event of Client money pay-outs shall be implemented, subject to Client agreed terms and conditions. 3.6 Regulated entities shall implement policies and procedures to prevent, subject to Client agreed terms and conditions, inappropriate use of Client money including the use of such Client money for the settlement of the regulated entity\u2019s fees and disbursements. R R R R R R RULE AND STATEMENT OF GUIDANCE \u2013 INTERNAL CONTROLS FOR REGULATED ENTITIES Cayman Islands Monetary Authority Page 19 of 20 B. SECURITIES INVESTMENT BUSINESS 1. Introduction and Scope of Application 1.1. The purpose of this part of the Internal Controls Rules and Guidelines is to establish the obligations and provide some guidance specifically for regulated entities in the securities investment business sector. The regulated entities covered in Section B of Part II are securities investment business licensees and registered persons undertaking the regulated activities of market makers, broker-dealers, securities arrangers, securities advisors, and securities managers. 1.2. This sector-specific guidance addresses specialised areas that require more and\/or different guidance or explanation than dealt with in Part I of this Rule and Statement of Guidance and should be read in conjunction with Part I. 2. Definitions 2.2 The following definitions are provided for the purpose of this section: a. \u201cClient\u201d, as defined in Securities Investment Business Act (As amended), refers to a person with or for whom securities investment business is transacted. 3. Operational Controls 3.1. Regulated entities must establish appropriate policies and procedures to minimize the potential for the existence of conflicts of interest between the regulated entity or its personnel and Clients. In circumstances where actual or apparent conflicts of interest cannot reasonably be avoided, Clients must be fully informed of the nature and possible ramifications of such conflicts and in all cases, treated fairly. 3.2. Where a regulated entity exercises discretionary authority over a Client\u2019s account, procedures must be established to ensure that the precise terms and conditions under which such authority may be exercised are effectively communicated to the Client, and that only transactions which are consistent with the investment strategies and objectives of the relevant client, are effected on the Client\u2019s behalf. 3.3. Regulated entities must establish and maintain appropriate and effective procedures in relation to dealing and related review processes to prevent or detect errors, omissions, fraud and other unauthorised or improper activities, and which ensure the fair and timely allocation of trades effected on behalf of Clients. 3.4. Regulated entities must ensure that Client funds and property are clearly segregated from funds and property of the regulated entity. R R R R Cayman Islands Monetary Authority Page 20 of 20\", \"element\": \"section\", \"heading\": null}], \"meta\": {\"notes\": null, \"workflow\": null, \"lifecycle\": {\"source\": \"#cilegis\", \"eventRef\": [{\"eId\": \"e_commence_2023_01_01\", \"date\": \"2023-01-01\", \"type\": \"generation\", \"source\": \"#cilegis\"}]}, \"references\": {\"source\": \"#canary\", \"TLCRole\": [], \"TLCEvent\": [{\"eId\": \"ev_commencement\", \"href\": \"\/akn\/ontology\/canary\/event\/commencement\", \"showAs\": \"commencement\"}], \"TLCPerson\": [], \"TLCConcept\": [{\"eId\": \"inForce\", \"href\": \"\/akn\/ontology\/canary\/concept\/temporal\/in-force\", \"showAs\": \"in force\"}], \"TLCProcess\": [], \"TLCLocation\": [], \"TLCOrganization\": [{\"eId\": \"cilegis\", \"href\": \"\/akn\/ontology\/canary\/organization\/editor\/cilegis\", \"showAs\": \"Cayman Islands legislation mirror (kyleg)\"}]}, \"temporalData\": {\"source\": \"#cilegis\", \"temporalGroup\": [{\"eId\": \"tg_inforce_2023_01_01\", \"timeInterval\": [{\"end\": null, \"start\": \"#e_commence_2023_01_01\", \"duration\": null, \"refersTo\": \"#inForce\"}]}]}, \"classification\": null, \"identification\": {\"source\": \"#cilegis\", \"FRBRWork\": {\"FRBRuri\": \"\/akn\/ky\/act\/sl\/2023\/40\", \"FRBRdate\": [{\"date\": \"2023-01-01\", \"name\": \"generation\"}], \"FRBRthis\": \"\/akn\/ky\/act\/sl\/2023\/40\/!main\", \"FRBRalias\": [{\"name\": \"cmsId\", \"value\": \"2023-0040\"}], \"FRBRauthor\": [{\"as\": \"#editor\", \"href\": \"\/akn\/ontology\/canary\/organization\/editor\/cilegis\"}], \"FRBRnumber\": \"40 of 2023\", \"FRBRcountry\": \"ky\", \"FRBRsubtype\": \"subordinate\"}, \"FRBRExpression\": {\"FRBRuri\": \"\/akn\/ky\/act\/sl\/2023\/40\/eng@2023-01-01\", \"FRBRdate\": [{\"date\": \"2023-01-01\", \"name\": \"generation\"}], \"FRBRthis\": \"\/akn\/ky\/act\/sl\/2023\/40\/eng@2023-01-01\/!main\", \"FRBRauthor\": [{\"as\": \"#editor\", \"href\": \"\/akn\/ontology\/canary\/organization\/editor\/cilegis\"}], \"FRBRlanguage\": \"eng\"}, \"FRBRManifestation\": {\"FRBRuri\": \"\/akn\/ky\/act\/sl\/2023\/40\/eng@2023-01-01.xml\", \"FRBRdate\": [{\"date\": \"2026-06-22\", \"name\": \"generation\"}], \"FRBRthis\": \"\/akn\/ky\/act\/sl\/2023\/40\/eng@2023-01-01.xml\", \"FRBRauthor\": [{\"as\": \"#editor\", \"href\": \"\/akn\/ontology\/canary\/organization\/editor\/cilegis\"}], \"FRBRformat\": \"application\/xml\"}}}, \"name\": \"act\", \"header\": {\"title\": \"Rule and Statement of Guidance \u2013 Internal Control for Regulated Entities\", \"actNumber\": \"40 of 2023\", \"longTitle\": null}}, \"doc\": null, \"bill\": null, \"judgment\": null}}","akn_full_text":"Cayman Islands Monetary Authority\n\nPage 1 of 20\n\nRULE AND STATEMENT OF GUIDANCE\nInternal Controls for Regulated Entities\n\nApril 2023\n\nRULE AND STATEMENT OF GUIDANCE \u2013 INTERNAL CONTROLS FOR REGULATED ENTITIES\n\nCayman Islands Monetary Authority\n\nPage 2 of 20\n\nTable of Contents\n\nList of Acronyms ..................................................................................................... 3\n1. Introduction ...................................................................................................... 4\n2. Statement of Objectives .................................................................................... 4\n3. Statutory Authority ........................................................................................... 4\n4. Scope of Application .......................................................................................... 5\n5. Definitions ........................................................................................................ 5\n6. Enforcement ...................................................................................................... 6\n7. Effective date .................................................................................................... 6\nGENERAL RULES AND GUIDELINES FOR ALL REGULATED ENTITIES ........................ 7\n8. Control Environment ......................................................................................... 7\n9. Risk Identification and Assessment ................................................................ 10\n10. Control Activities and Segregation of Duties ................................................... 11\n11. Information and Communication ..................................................................... 13\n12. Monitoring Activities and Correcting Deficiencies ........................................... 15\nSECTOR-SPECIFIC RULES AND GUIDELINES .......................................................... 18\nA. TRUST COMPANIES, COMPANY MANAGERS AND CORPORATE SERVICES\nPROVIDERS ........................................................................................................... 18\n1.\nIntroduction and Scope of Application ......................................................... 18\n2.\nDefinitions ................................................................................................... 18\n3.\nOperational Controls .................................................................................... 18\nB. SECURITIES INVESTMENT BUSINESS .............................................................. 19\n1.\nIntroduction and Scope of Application ......................................................... 19\n2.\nOperational Controls .................................................................................... 19\n\nRULE AND STATEMENT OF GUIDANCE \u2013 INTERNAL CONTROLS FOR REGULATED ENTITIES\n\nCayman Islands Monetary Authority\n\nPage 3 of 20\nList of Acronyms\n\nAcronym\nDefinition\nAML\/CFT\nAnti-Money Laundering\/Countering the Financing of Terrorism\nCIMA\nCayman Islands Monetary Authority\nCPF\nMAA\nCountering the Financing of Proliferation of weapons of mass destruction\nMonetary Authority Act\n\nCayman Islands Monetary Authority\n\nPage 4 of 20\n\nRule and Statement of Guidance\n\nInternal Controls for Regulated Entities\n\n1.\nIntroduction\n\n1.1.\nThis document establishes the Cayman Islands Monetary Authority\u2019s (the\n\u201cAuthority\u201d or \u201cCIMA\u201d) Rule and Statement of Guidance on Internal Controls for\nRegulated Entities. The Rule and Statement of Guidance should be read in\nconjunction with the following:\n\na)\nCIMA-issued\nmeasures\non:\ninvestment\nactivities\nof\ninsurers;\nresponsibilities of insurance managers; risk management; corporate\ngovernance; market conduct; cybersecurity; records management and\nretention;\ninternal\naudit;\nbusiness\ncontinuity\nmanagement;\noutsourcing; fitness and propriety; Anti-Money Laundering, Combating\nthe Financing of Terrorism and Countering the Financing of Proliferation\nof weapons of mass destruction (\u201cAML\/CFT\/CPF\u201d); and\n\nb)\nany other regulatory instruments issued by the Authority from time to\ntime.\n\n1.2.\nThis document is broadly organised as follows: Part I sets out the general rules\nand guidelines for all regulated entities covering each of the five components\nof internal control, namely: Control Environment; Risk Identification and\nAssessment; Control Activities and Segregation of Duties; Information and\nCommunication; and Monitoring Activities and Correcting Deficiencies. Part II\nsets out additional sector-specific rules and guidelines.\n\n2.\nStatement of Objectives\n\n2.1.\nTo set out the Authority\u2019s rules and guidance on the requirements for regulated\nentities with regards to internal controls. In general, internal controls represent\nthe way a regulated entity is structured and operated so that reasonable\nassurance is provided of:\n\na)\nthe ability to carry on its business in an orderly and efficient manner;\nb)\nthe safeguarding of its and its clients\u2019 assets;\nc)\nthe maintenance of proper records and the reliability of financial,\noperational, and regulatory reports; and\nd)\nthe compliance with all applicable acts and regulatory requirements.\n\n2.2.\nThe Authority recognises that internal control needs may vary from one\nregulated entity to another commensurate with the size, complexity, structure,\nnature of business and risk profile of its operations. Hence, this Rule and\nStatement of Guidance is not intended to be exhaustive; rather, it sets out the\nAuthority\u2019s requirements and minimum expectations on internal controls.\n\n3.\nStatutory Authority\n\n3.1.\nThis Rule and Statement of Guidance is consistent with Section 34 of the\nMonetary Authority Act (MAA) which provides that:\n\nRULE AND STATEMENT OF GUIDANCE \u2013 INTERNAL CONTROLS FOR REGULATED ENTITIES\n\nCayman Islands Monetary Authority\n\nPage 5 of 20\n\u201c34(1) After private sector consultation and consultation with the Minister\ncharged with responsibility for Financial Services, the Authority may\u2013\n(a)\nissue or amend rules or statements of principle or guidance concerning\nthe conduct of licensees and their officers and employees, and any other\npersons to whom and to the extent that the regulatory acts may apply;\n\n(c)\nissue or amend rules or statements of principle or guidance to reduce\nthe risk of financial services business being used for money laundering\nor other criminal purposes.\u201d\n\n3.2.\nTo highlight the Authority\u2019s internal control rules within this document, a rule\nis written in light blue and designated with the letter \u201cR\u201d in the right margin.\n\n4.\nScope of Application\n\n4.1.\nThe Rule and Statement of Guidance applies to all entities regulated by the\nAuthority under the regulatory acts (as defined and amended under the MAA);\nsubject to proportional application outlined in paragraphs 4.2 to 4.4 below.\n\n4.2.\nThe Authority recognises that regulated entities may outsource some business\nfunctions, delegating their duties for day-to-day management to service\nproviders. A regulated entity may rely on the service providers\u2019 system of\ninternal control over the outsourced activities provided that the Governing Body\nis satisfied and can demonstrate to the Authority that such system of internal\ncontrol meets the requirements of this Rule and Statement of Guidance1.\n\n4.3.\nWhere a regulated entity is part of a group, it may rely on the group\u2019s system\nof internal control provided that the regulated entity's Governing Body is\nsatisfied and can demonstrate to the Authority that such system of internal\ncontrol meets the requirements of this Rule and Statement of Guidance.\n\n4.4.\nIn assessing whether the internal control system implemented or relied upon\nby a regulated entity meets the requirements of this Rule and Statement of\nGuidance, appropriate consideration should be given to the size, complexity,\nstructure, nature of business, and risk profile of the regulated entity.\n\n4.5.\nReferences to any act or regulation shall be construed as references to those\nprovisions as amended, modified, re-enacted or replaced from time to time.\n\n5.\nDefinitions\n\n5.1.\nThe following definitions are provided for the purpose of this Rule:\n\n5.2.\nThe \u201cGoverning Body\u201d of a regulated entity is the Board of Directors where\nthe entity is a corporation, the General Partner where the entity is a\npartnership, the manager (or equivalent) where the entity is a Limited Liability\nCompany, and the Board of Trustees where the entity is a trust business.\n\n5.3.\n\u201cSenior Management\u201d includes the most senior staff of the regulated entity,\nincluding heads of divisions, and any person who fulfils the functions of a senior\nmanager, by whatever name called. Such functions include actively\n\n1 Regulated entities utilising outsourcing should also refer to regulatory measures issued by the\nAuthority on outsourcing, as applicable.\n\nRULE AND STATEMENT OF GUIDANCE \u2013 INTERNAL CONTROLS FOR REGULATED ENTITIES\n\nCayman Islands Monetary Authority\n\nPage 6 of 20\nparticipating in the daily planning, supervision, administration and execution of\na regulated entity's objectives and strategy.\n\n5.4.\n\u201cManagement\u201d means collectively, the Senior Management, middle-level\nmanagement, and lower-level management of the regulated entity.\n\n5.5.\n\u201cMaterial risks\u201d are those risks that could have a significant impact on the\nachievement of a regulated entity\u2019s objectives.\n\n6.\nEnforcement\n\n6.1.\nWhenever there has been a breach of the rules included in this document, the\nAuthority\u2019s policies and procedures as contained in its Enforcement Manual will\napply in addition to any other powers provided in the regulatory acts and the\nMAA.\n\n7.\nEffective date\n\n7.1.\nThis Rule and Statement of Guidance will come into effect within six months of\nthe date that it is published in the Gazette.\n\nRULE AND STATEMENT OF GUIDANCE \u2013 INTERNAL CONTROLS FOR REGULATED ENTITIES\n\nCayman Islands Monetary Authority\n\nPage 7 of 20\nPART I\n\nGENERAL RULES AND GUIDELINES FOR ALL REGULATED ENTITIES\n\n8.\nControl Environment\n\nThe control environment refers to the set of standards, processes, and structures that\nprovide a basis for carrying out effective internal control across the organization. An\neffective control environment creates the discipline that supports the assessment of\nrisks necessary for the achievement of the entity\u2019s objectives, performance of control\nactivities, and use of information and communication systems, as well as the conduct\nof monitoring activities. The control environment, therefore, has an extensive impact\non the overall system of internal control. The Governing Body and Senior Management\nestablish the tone at the top regarding the importance of internal controls and\nexpected standards of conduct. Additionally, the Governing Body and Senior\nManagement communicate their expectations concerning integrity and ethical values\nthroughout the organization and, as appropriate, to outsourced service providers and\nbusiness partners.\n\nThe Role of the Governing Body\n\n8.1.\nThe Governing Body of a regulated entity is ultimately responsible for ensuring\nthat an adequate and effective system of internal control is established,\ndocumented, and maintained.\n\n8.2.\nThe Governing Body is responsible for approving and periodically reviewing the\noverall business strategies and significant policies of the regulated entity. It\nmust also have the responsibility of understanding the material risks faced by\nthe regulated entity, setting acceptable levels for these risks, and ensuring that\nSenior Management takes the steps necessary to identify, measure, monitor\nand control these risks. Additionally, the Governing Body is responsible for\napproving the organizational structure and ensuring that Senior Management\nis monitoring the effectiveness of the internal control system.\n\n8.3.\nThe Governing Body of a regulated entity must demonstrate independence from\nits Management and exercise oversight of the development and performance\nof internal controls. Where it is not reasonably possible for the Governing Body\nto achieve independence from its Management, documented policies and\nprocedures must be in place to identify and manage actual or perceived\nconflicts of interests.\n\n8.4.\nThe Governing Body provides governance, guidance, and oversight to Senior\nManagement. Members of the Governing Body should be objective, capable,\nand inquisitive, with knowledge or expertise of the activities of and risks run by\nthe regulated entity. As appropriate, the Governing Body should consist of\nsome members who are independent from the daily management of the\nregulated entity. A strong, active Governing Body, particularly when coupled\nwith effective upward communication channels and capable financial, legal, and\ninternal audit functions, provides an important mechanism to ensure the\ncorrection of problems that may diminish the effectiveness of the internal\ncontrol system.\n\nR\nR\nR\n\nRULE AND STATEMENT OF GUIDANCE \u2013 INTERNAL CONTROLS FOR REGULATED ENTITIES\n\nCayman Islands Monetary Authority\n\nPage 8 of 20\n8.5.\nThe Governing Body should include in its activities (1) periodic discussions with\nManagement concerning the effectiveness of the internal control system, (2) a\ntimely review of evaluations of internal controls conducted by Management,\ninternal auditors, and\/or external auditors, (3) periodic efforts to ensure that\nManagement has promptly followed up on recommendations and concerns\nexpressed by auditors and\/or supervisory authorities on internal control\nweaknesses, and (4) a periodic review of the appropriateness of the regulated\nentity\u2019s strategy.\n\nThe Role of Senior Management\n\n8.6.\nSenior Management should have responsibility for implementing strategies and\npolicies approved by the Governing Body and developing processes that\nidentify, measure, monitor and control risks incurred by the regulated entity.\nAdditionally, Senior Management should have the responsibility of setting\nappropriate internal control procedures and monitoring the adequacy and\neffectiveness of the internal control system.\n\n8.7.\nA regulated entity must establish and document its organisational structure\nincluding the appropriate functions, lines of reporting, responsibility, and\nauthority.\n\n8.7.1. Senior Management, with oversight from the Governing Body, should\nensure that there are no gaps in reporting lines and that an appropriate\nand effective level of management control is extended to all levels of\nthe\norganization\nand\nits\nvarious\nactivities.\nThe\ndocumented\norganisational structure should be kept current and any changes\nappropriately communicated.\n\n8.7.2. Internal control responsibilities can generally be viewed as falling within\nthree lines of defence against the failure to achieve the entity\u2019s\nobjectives:\n\na)\nManagement and other personnel on the front line provide the\nfirst line of defence in day-to-day activities. They are responsible\nfor maintaining effective internal control day to day;\n\nb)\nbusiness-enabling functions such as risk, control, legal, and\ncompliance provide the second line of defence as they clarify\ninternal control requirements and evaluate adherence to defined\nstandards; and\n\nc)\nInternal auditors provide the third line of defence in assessing\nand reporting on internal control and recommending corrective\nactions or enhancements for management consideration and\nimplementation.\n\n8.8.\nMembers of Senior Management typically delegate duties for development of\nmore specific internal control policies and procedures to those responsible for\na particular business unit. Delegation is an essential part of management;\nhowever, it is important for Senior Management to oversee the managers to\nwhom they have delegated these duties to ensure that they develop and\nenforce appropriate policies and procedures.\n\nR\n\nRULE AND STATEMENT OF GUIDANCE \u2013 INTERNAL CONTROLS FOR REGULATED ENTITIES\n\nCayman Islands Monetary Authority\n\nPage 9 of 20\n8.9.\nA regulated entity is required to demonstrate a commitment to ensuring that\nactivities are conducted by persons with sufficient knowledge, skills, and\nexperience commensurate with the size, complexity, structure, nature of\nbusiness, and risk profile of its operations.\n\n8.9.1. Staff training and skills should be regularly updated with adequate\nconsideration given to training needs to ensure compliance with the\nregulated entity\u2019s operational and internal control policies and\nprocedures; and compliance with all applicable legal and regulatory\nrequirements to which the entity is subject.\n\nControl Culture\n\n8.10. Regulated entities are required to demonstrate a commitment to integrity and\nethical values.\n\n8.10.1. An organization\u2019s control environment can also be seen as synonymous\nwith its internal control culture. Elements of a strong culture, such as\nintegrity and ethical values, effective oversight, accountability, and\nperformance evaluations, make the control environment strong as well.\nCulture is part of an organization\u2019s control environment, but also\nencompasses elements of other components of internal control such as\nestablishing effective policies and procedures, ease of security controls\nor access to information, and the responsiveness to the results of\nmonitoring activities.\n\n8.10.2. The Governing Body and Senior Management are responsible for\npromoting high ethical and integrity standards, and for establishing a\nculture for the regulated entity that emphasises and demonstrates the\nimportance of internal controls to all levels of personnel, outsourced\nservice providers, and business partners. This includes the ethical\nvalues that Management displays in their business dealings, both inside\nand outside the organization. The words, attitudes, and actions of the\nGoverning Body and Senior Management affect the integrity, ethics,\nand other aspects of the regulated entities\u2019 control culture.\n\n8.10.3. In reinforcing ethical values, regulated entities should avoid policies\nand practices that may inadvertently provide incentives or temptations\nfor inappropriate activities. Examples of such policies and practices may\ninclude undue emphasis on performance targets or other operational\nresults, particularly short-term ones that ignore longer-term risks;\ncompensation schemes that overly depend on short-term performance;\nineffective segregation of duties or other controls that could allow the\nmisuse of resources or concealment of poor performance; and\ninsignificant or overly onerous penalties for improper behaviours.\n\n8.11. A regulated entity is required to hold persons who have been assigned\nresponsibilities for internal controls accountable for performance of such\nresponsibilities.\n\n8.11.1. In varying degrees, internal control is the responsibility of everyone in\nthe organization. Almost all employees produce information used in the\ninternal control system or take other actions needed to implement\ninternal controls. An essential element of a strong internal control\nsystem is the recognition by all employees of the need to carry out their\nR\nR\nR\n\nRULE AND STATEMENT OF GUIDANCE \u2013 INTERNAL CONTROLS FOR REGULATED ENTITIES\n\nCayman Islands Monetary Authority\n\nPage 10 of 20\nresponsibilities effectively and to communicate to the appropriate level\nof management any problems in operations, instances of noncompliance with the entity\u2019s code of conduct, or other policy violations\nor illegal actions that are noticed. This can best be achieved when\noperational procedures are contained in clearly written documentation\nthat is made available to all relevant personnel. It is essential that all\npersonnel of the regulated entity understand the importance of internal\ncontrol and are actively engaged in the internal control process.\n\n8.11.2. Where outsourced service providers perform activities for or on behalf\nof the regulated entity, Management must implement a program, to\nevaluate the effectiveness of the system of internal control over such\nactivities. Such a program should be commensurate to the nature,\ncomplexity and risk profile of the outsourced activity.\n\n9.\nRisk Identification and Assessment\n\n9.1.\nRisk assessment involves a dynamic and iterative process for identifying,\nmeasuring, and analysing risks to achieving an organization\u2019s objectives. It also\nforms a basis for determining how the risks will be managed. A precondition to\nrisk assessment is the establishment of risk-related objectives, linked at\ndifferent levels of the organization. Management should consider the suitability\nof the objectives established. Risk assessment also requires Management to\nconsider the impact of possible changes in the external environment and within\nits own business model that may render the internal control system ineffective.\n\n9.2.\nRegulated entities must specify their objectives with sufficient clarity to be able\nto identify and assess the risks relating to those objectives.\n\n9.2.1. Objectives form the basis on which risk assessment approaches are\nimplemented and performed and subsequent control activities are\nestablished. As part of internal control, Management may consider\nspecifying and grouping objectives at all levels of the entity within broad\ncategories relating to operations, reporting, and compliance. The\ngrouping of objectives within these categories allows for the risks to the\nachievement of those objectives to be identified and assessed.\n\n9.3.\nAs appropriate, regulated entities must identify and assess all material risks to\nthe achievement of their objectives and analyse the risks as a basis for\ndetermining how they should be managed. This assessment must cover all\nmaterial risks (including the risk of fraud) facing the regulated entity on a\nconsolidated basis.\n\n9.3.1. Internal controls should be regularly reviewed and revised to\nappropriately address any new or previously uncontrolled risks. For\nexample, as financial innovation occurs, a regulated entity needs to\nevaluate new financial instruments and market transactions and\nconsider the risks associated with these activities. Often these risks can\nbe understood when considering how various scenarios (economic and\notherwise) affect the cash flows and earnings of financial instruments\nand transactions. Thoughtful consideration of the full range of possible\nproblems, from customer misunderstanding to operational failure, will\npoint to important control considerations.\n\n R\nR\nR\n\nRULE AND STATEMENT OF GUIDANCE \u2013 INTERNAL CONTROLS FOR REGULATED ENTITIES\n\nCayman Islands Monetary Authority\n\nPage 11 of 20\n9.3.2. Effective risk assessment identifies and considers internal factors (such\nas the complexity of the organization\u2019s structure, the nature of the\norganization\u2019s activities, the quality of personnel, organizational\nchanges and employee turnover) as well as external factors (such as\nfluctuating economic conditions, changes in the industry and\ntechnological advances) that could adversely affect the achievement of\nits objectives. As applicable, this risk assessment should be conducted\nat the level of individual businesses, across the wide spectrum of\nactivities and subsidiaries of the consolidated entity. Effective risk\nassessment addresses both measurable and non-measurable aspects of\nrisks and weighs costs of controls against the benefits they provide.\n\n9.3.3. The risk assessment process also includes evaluating the risks to\ndetermine which are controllable by the regulated entity and which are\nnot. For those risks that are controllable, it is important for the regulated\nentity to assess whether to accept those risks or the extent to which it\nwishes to mitigate the risks through control procedures. For those risks\nthat cannot be controlled, the regulated entity should decide whether to\naccept these risks or to withdraw from or reduce the level of business\nactivity concerned.\n\n10.\nControl Activities and Segregation of Duties\n\nControl Activities\n\n10.1. Regulated entities must select and develop control activities (including general\ncontrol activities over technology) that contribute to the mitigation of risks to\nthe achievement of their objectives to acceptable levels. The control activities\nare deployed through policies that establish what is expected; and procedures\nthat put policies into action.\n\n10.2. An effective internal control system requires that an appropriate control\nstructure is established, with control activities defined at every business level.\nThese should include: top level reviews; appropriate activity controls for\ndifferent departments or divisions; physical controls; checking for compliance\nwith any established exposure limits and follow-up on non-compliance; a\nsystem of approvals and authorisations; a system of verifications and\nreconciliations and a system of supervisory controls.\n\n10.3. Control activities are designed and implemented to address the risks that the\nregulated entity identified through the risk assessment process. These control\nactivities may be preventive or detective in nature and may encompass a range\nof manual and automated activities. Control activities involve two steps: (1)\nthe establishment of control policies and procedures; and (2) verification that\nthe control policies and procedures are being complied with. Control activities\nare performed at all levels of the entity, at various stages within business\nprocesses, and over the technology environment. Examples of control activities\ninclude, but not limited to:\n\na)\nTop level reviews \u2013 The Governing Body and Senior Management\noften request presentations and performance reports that enable them\nto review the entity\u2019s progress toward its goals. For example, Senior\nManagement may review reports showing actual financial results to date\nversus the budget. Questions that Senior Management generates as a\nR\n\nRULE AND STATEMENT OF GUIDANCE \u2013 INTERNAL CONTROLS FOR REGULATED ENTITIES\n\nCayman Islands Monetary Authority\n\nPage 12 of 20\nresult of this review and the ensuing responses of lower levels of\nmanagement represent a control activity which may detect problems\nsuch as control weaknesses, errors in financial reporting or fraudulent\nactivities.\n\nb)\nActivity controls - Department or division level management receives\nand reviews standard performance and exception reports on a daily,\nweekly, or monthly basis. Functional reviews occur more frequently than\ntop-level reviews and usually are more detailed. As with the top-level\nreview, the questions that are generated from reviewing the reports and\nthe responses to those questions represent the control activity.\n\nc)\nPhysical controls - Physical controls generally focus on restricting\naccess to tangible assets, including cash and securities. The control\nactivities include physical limitations, dual custody, and periodic\nreconciliation of inventories with control records.\n\nd)\nCompliance with exposure limits \u2013 Where applicable, the\nestablishment of prudent limits on risk exposures is an important aspect\nof risk management. For example, compliance with limits for borrowers\nand other counterparties reduces concentration of credit risk and helps\nto diversify a regulated entity\u2019s credit risk profile. Consequently, an\nimportant aspect of internal controls is a process for reviewing\ncompliance with such limits and follow-up on instances of noncompliance.\n\ne)\nApprovals and authorisations - Requiring approval and authorisation\nfor transactions over certain limits ensures that an appropriate level of\nmanagement is aware of the transaction or situation and helps to\nestablish accountability. It also affirms that a transaction is valid (i.e.,\nit represents an actual economic event or is within an entity\u2019s policy).\n\nf)\nVerifications and reconciliations - Verifications of transaction details\nand activities; and the verification of output of any risk management\nmodels used by the regulated entity are important control activities.\nPeriodic reconciliations, such as those comparing cash flows to\naccounting records and statements, may identify activities and records\nthat need correction. Consequently, the results of verifications and\nreconciliations should be reported to the appropriate levels of\nmanagement whenever problems or potential problems are detected.\n\ng)\nSupervisory Controls - Supervisory controls assess whether other\ntransaction control activities (i.e., activity controls, exposure limits,\nverifications, reconciliations, authorizations and approvals, physical\ncontrol activities etc.) are being performed completely, accurately, and\naccording to policy and procedures.\n\n10.4. Control activities are most effective when they are viewed by Management and\nall other personnel as an integral part of, rather than an addition to, the daily\nactivities of the regulated entity. When controls are viewed as an addition to\nthe day-to-day activities, they are often seen as less important and may not be\nperformed in situations where persons feel pressured to complete activities in\na limited amount of time. In addition, controls that are an integral part of the\ndaily activities enable quick responses to changing conditions and avoid\nunnecessary costs. As part of fostering the appropriate control culture within\n\nRULE AND STATEMENT OF GUIDANCE \u2013 INTERNAL CONTROLS FOR REGULATED ENTITIES\n\nCayman Islands Monetary Authority\n\nPage 13 of 20\nthe regulated entity, Senior Management should ensure that adequate control\nactivities are an integral part of the daily functions of all relevant personnel.\n\n10.5. It is not sufficient for the regulated entity to simply establish appropriate\npolicies and procedures for its various activities and divisions. Management,\nwith Governing Body oversight, must   regularly ensure that all applicable\ndivisions of the regulated entity follow such policies and procedures and\ndetermine that existing policies and procedures remain adequate.\n\nSegregation of Duties\n\n10.6. A regulated entity must ensure that there is adequate segregation of duties\ncommensurate with the size, complexity, structure, nature of business and risk\nprofile of its operations.\n\n10.7. Where segregation of duties is not reasonably practical, a regulated entity must\nestablish and implement appropriate alternative control activities.\n\n10.8. Segregation of duties is typically built into the selection and development of\ncontrol\nactivities.\nWhen\nselecting\nand\ndeveloping\ncontrol\nactivities,\nManagement should consider whether duties are appropriately divided or\nsegregated among different persons to reduce the risk of error or inappropriate\nor fraudulent actions. Such consideration should include the legal environment,\nregulatory requirements, and stakeholder expectations. This segregation of\nduties generally entails dividing the responsibility for approving transactions,\nrecording them, and handling the related asset(s).\n\n10.8.1. In some instances, segregation of duties may not be practical, cost\neffective, or feasible. For instance, small entities may lack sufficient\nresources to achieve ideal segregation, and the cost of hiring additional\nstaff may be prohibitive. In these situations, management should\ninstitute appropriate alternative control activities including, but not\nlimited to: rotation of duties; increased Management oversight such as\nadditional reviews and reconciliations; and third-party involvement,\nincluding outsourcing.\n\n10.9. Assigning conflicting duties to one individual (for example, though not limited\nto, responsibility for both the front and back offices of a trading function) gives\nthat person access to assets of value and the ability to manipulate financial\ndata for personal gain or to conceal losses. Consequently, certain duties within\na regulated entity\u2019s organization should be split, to the extent possible, among\nvarious persons to reduce the risk of manipulation of financial data or\nmisappropriation of assets. There should also be periodic reviews of the\nresponsibilities and functions of management and staff to identify areas of\npotential conflict of interest and ensure there are independent checks to\nminimise the risk of concealment of inappropriate actions.\n\n11.\nInformation and Communication\n\n11.1. Regulated entities must obtain or generate, and then use relevant and quality\ninformation from both internal and external sources to support effective\nfunctioning of internal controls.\n\nR\nR\nR\n\nRULE AND STATEMENT OF GUIDANCE \u2013 INTERNAL CONTROLS FOR REGULATED ENTITIES\n\nCayman Islands Monetary Authority\n\nPage 14 of 20\n11.2. Information is necessary for an entity to carry out its internal control\nresponsibilities to support the achievement of its objectives. Communication\nrefers to the continual, iterative process of providing, sharing, and obtaining\nnecessary information internally and externally. Internal communication is how\ninformation is disseminated throughout an entity, flowing up, down, and across\nthe entity. It enables Senior Management to communicate internal control\nresponsibilities across the entity. External communication enables inbound\ncommunications of relevant external information and outbound provision of\ninformation to external parties in response to requirements and\/or\nexpectations.\n\n11.3. From the regulated entity\u2019s perspective, for information to be useful, it must be\nrelevant, reliable, timely, accessible, and provided in a consistent format.\nInformation includes internal financial, operational and compliance data, as well\nas external market information about events and conditions that are relevant\nto decision making and functioning of internal controls. Internal information is\npart of a record-keeping process that should include established procedures for\nrecord retention.\n\n11.4. An effective internal control system requires that there are reliable information\nsystems in place that cover all significant activities of the regulated entity.\nThese systems, including those that hold and use data in an electronic form,\nmust be secure, monitored independently and supported by adequate\ncontingency arrangements.\n\n11.4.1. Regulated entities should be particularly aware of the organizational\nand internal control requirements related to processing information in\nan electronic form and the necessity to have an adequate audit trail.\nManagement decision-making and effectiveness of internal control\ncould be adversely affected by unreliable or misleading information\nprovided by systems that are poorly designed and controlled.\n\n11.4.2. Electronic information systems and the use of information technology\nhave risks that must be effectively controlled by regulated entities to\navoid disruptions to business and potential losses. Since transaction\nprocessing and business applications have expanded beyond the use of\nmainframe computer environments to distributed systems for missioncritical business functions, the magnitude of risks also has expanded.\nControls over information systems and technology should include both\ngeneral and application controls. General controls are controls over\ncomputer systems (for example, mainframe, client\/server, and enduser workstations) and ensure their continued, proper operation.\nGeneral controls include in-house back-up and recovery procedures,\nsoftware development and acquisition policies, maintenance (change\ncontrol) procedures, and physical\/logical access security controls.\nApplication\ncontrols\nare\ncomputerised\nsteps\nwithin\nsoftware\napplications and other manual procedures that control the processing\nof transactions and business activities. Application controls include, for\nexample, edit checks and specific logical access controls unique to a\nbusiness system. Without adequate controls over information systems\nand technology, including systems that are under development,\nregulated entities could experience loss of data and programs due to\ninadequate physical and electronic security arrangements, equipment\nor systems failures, and inadequate in-house backup and recovery\nprocedures.\n\nRULE AND STATEMENT OF GUIDANCE \u2013 INTERNAL CONTROLS FOR REGULATED ENTITIES\n\nCayman Islands Monetary Authority\n\nPage 15 of 20\n\n11.4.3. In addition to the risks and controls above, inherent risks exist that are\nassociated with the loss or extended disruption of services caused by\nfactors beyond the regulated entity\u2019s control. In extreme cases, since\nthe delivery of corporate and customer services represent key\ntransactional, strategic, and reputational issues, such problems could\ncause serious difficulties for regulated entities and even jeopardise\ntheir ability to conduct key business activities. This potentially requires\nthe regulated entity to establish business resumption and contingency\nplans using an alternate off-site facility, including the recovery of\ncritical systems supported by an external service provider. The\npotential for loss or extended disruption of critical business operations\nrequires an institution-wide effort on contingency planning, involving\nbusiness management, and not focused on centralised computer\noperations. Business resumption plans should be periodically tested to\nensure the plan\u2019s functionality in the event of an unexpected disaster.\n\n11.5. Regulated entities must have effective internal channels for communicating\ninformation on objectives and responsibilities necessary to support the proper\nfunctioning of internal control.\n\n11.5.1. An effective internal control system requires effective channels of\ncommunication to ensure that all staff fully understand and adhere to\npolicies and procedures affecting their duties and responsibilities and\nthat other relevant information is reaching the appropriate personnel.\n\n11.5.2. Senior Management of regulated entities should establish effective\npaths of communication to ensure that the necessary information is\nreaching the appropriate people. This information relates both to the\noperational policies and procedures of the regulated entity as well as\ninformation regarding its actual operational performance.\n\n11.5.3. The organizational structure of the regulated entity should facilitate an\nadequate flow of information - upward, downward and across the\norganization. A structure that facilitates this flow ensures that\ninformation flows upward so that the Governing Body and Senior\nManagement are aware of the business risks and the operating\nperformance of the entity. Information flowing down through an\norganization ensures that the entity\u2019s objectives, strategies, and\nexpectations, as well as its established policies and procedures, are\ncommunicated to lower-level management and operations personnel.\nThis communication is essential to achieve a unified effort by all\nemployees to meet the regulated entity\u2019s objectives. Finally,\ncommunication across the entity is necessary to ensure that\ninformation that one business line or department knows can be shared\nwith other affected divisions or departments.\n\n12.\nMonitoring Activities and Correcting Deficiencies\n\n12.1. Regulated entities must establish and implement appropriate processes for\nmonitoring the effectiveness of their internal controls.\n\n12.2. Monitoring activities assess whether each of the five components of internal\ncontrol is present and functioning effectively to support the achievement of the\nR\nR\n\nRULE AND STATEMENT OF GUIDANCE \u2013 INTERNAL CONTROLS FOR REGULATED ENTITIES\n\nCayman Islands Monetary Authority\n\nPage 16 of 20\norganization\u2019s objectives. Monitoring is a key input of the organization\u2019s\nassessment of the effectiveness of internal control. It also provides valuable\nsupport for assertions of the effectiveness of the system of internal controls.\n\n12.3. As an entity\u2019s operating environment may be dynamic and rapidly evolving, it\nis important for regulated entities to continually monitor and evaluate their\ninternal control systems in the light of changing internal and external conditions\nand enhance these systems as necessary to maintain their effectiveness. Senior\nManagement should ensure that the monitoring function is properly defined and\nappropriate for size, complexity, structure, nature of business, and risk profile\nof the regulated entity.\n\n12.4. Monitoring the effectiveness of internal controls can be done by personnel from\nseveral different areas, including the business function itself, financial control,\nand internal audit. For that reason, it is important that Senior Management\nmakes clear which personnel are responsible for which monitoring functions.\nMonitoring of effectiveness of internal controls should be ongoing, as part of\nthe daily activities of the regulated entity but could also include separate\nperiodic evaluations as appropriate. The frequency of monitoring different\nactivities of a regulated entity should be determined by considering the risks\ninvolved and the frequency and nature of changes occurring in the operating\nenvironment.\n\n12.4.1. Ongoing monitoring activities can offer the advantage of quickly\ndetecting and correcting deficiencies in the system of internal controls.\nSuch monitoring is most effective when the system of internal controls\nis integrated into the operating environment and produces regular\nreports for review. Examples of ongoing monitoring include the review\nand approval of journal entries, and management review and approval\nof exception reports.\n\n12.4.2. In contrast, separate evaluations typically detect problems only after\nthe fact; however, separate evaluations allow an entity to take a fresh,\ncomprehensive look at the effectiveness of the internal control system\nand specifically at the effectiveness of the monitoring activities. These\nevaluations can be done by personnel from several different areas,\nincluding the business function itself, financial control, and internal\naudit. Separate evaluations of the internal control system often take the\nform of self-assessments when persons responsible for a particular\nfunction determine the effectiveness of controls for their activities. The\ndocumentation and the results of the evaluations are then reviewed by\nSenior Management. All levels of review should be adequately\ndocumented and reported on a timely basis to the appropriate level of\nmanagement.\n\nInternal Audit\n\n12.5. As applicable, there should be an effective and comprehensive audit of the\ninternal control system carried out by operationally independent, appropriately\ntrained, and competent staff.\n\n12.6. The internal audit function, as part of the monitoring of the system of internal\ncontrol, should report directly to the Governing Body or its audit committee,\nand communicate its findings and recommendations to Senior Management.\n\nRULE AND STATEMENT OF GUIDANCE \u2013 INTERNAL CONTROLS FOR REGULATED ENTITIES\n\nCayman Islands Monetary Authority\n\nPage 17 of 20\nThe internal audit function should have appropriate standing within the\nregulated entity to ensure senior management acts upon its recommendations.\n\n12.7. The internal audit function is an important part of the ongoing monitoring of\nthe system of internal controls because it provides an independent assessment\nof the adequacy of, and compliance with, the established policies and\nprocedures. It is critical that the internal audit function is independent from the\nday-to-day functioning of the regulated entity and that it has access to all\nactivities conducted by the regulated entity including, where applicable, at its\nbranches and subsidiaries.\n\nInternal Control Deficiencies\n\n12.8. Regulated entities must ensure that internal control deficiencies, whether\nidentified by business line, internal audit, or other control personnel, are\nreported in a timely manner to the appropriate parties for corrective action. All\nsignificant internal control deficiencies must be reported to Senior Management\nand the Governing Body of the regulated entity.\n\n12.9. Reporting on internal control deficiencies depends on the criteria established\nby Governing Body, Management, and other parties such as regulators and\nstandard-setting bodies, as applicable. Results of ongoing and separate\nevaluations are assessed against those criteria to determine whom to report to\nand what is reported.\n\n12.10. Once internal control deficiencies and ineffectively controlled risks are reported,\nit is important that Management corrects the deficiencies on a timely basis.\nSenior Management should be responsible for establishing an appropriate\nsystem to track internal control weaknesses to ensure that actions to rectify\nthe weaknesses are carried out on a timely basis. As applicable, the internal\naudit function should conduct follow-up reviews or other appropriate forms of\nmonitoring, and immediately inform Senior Management or the Governing Body\nof any uncorrected deficiencies.\n\n12.11. Regulated entities should have adequate procedures for receiving, recording,\ninvestigating, monitoring, and resolving complaints from customers. A high\nnumber of complaints may indicate inadequate controls or undue override of\nexisting controls. Therefore, regulated entities should ensure complaints are\nhandled fairly, consistently, and timely and that necessary action is taken to\nsufficiently remediate the control deficiencies highlighted by the complaints.\n\n12.12. The Governing Body and Senior Management should periodically receive\nreports summarising key control issues that have been identified and\/or\ncomplaints received. The reports should include information such as nature of\nissues, volume, frequency, how the issues were addressed, and disciplinary\nactions undertaken for non-compliance. Issues that appear to be immaterial\nwhen individual control processes are looked at in isolation, may well point to\ntrends that could, when linked, become a significant control deficiency if not\naddressed in a timely manner.\n\nR\n\nRULE AND STATEMENT OF GUIDANCE \u2013 INTERNAL CONTROLS FOR REGULATED ENTITIES\n\nCayman Islands Monetary Authority\n\nPage 18 of 20\nPART II\nSECTOR-SPECIFIC RULES AND GUIDELINES\n\nA.\nTRUST COMPANIES, COMPANY MANAGERS AND CORPORATE\nSERVICES PROVIDERS\n\n1.\nIntroduction and Scope of Application\n\n1.1\nThe purpose of this part of the Internal Controls Rules and Guidelines is to\nestablish the obligations and provide some guidance specifically for the\nregulated entities in the fiduciary service sector. The regulated entities covered\nin Section A of Part II are (1) trust companies; (2) company managers; and\n(3) corporate services providers.\n\n1.2\nThis sector-specific guidance addresses specialised areas that require more\nand\/or different guidance or explanation than dealt with in Part I of this Rule\nand Statement of Guidance and should be read in conjunction with Part I.\n\n2.\nDefinitions\n\n2.1\nThe following definitions are provided for the purpose of this section:\na.\n\u201cClient\u201d refers to a person with whom the regulated entity has entered\nan agreement to provide services constituting trust business or\ncompany management business. Where the regulated entity is a Trust,\nRestricted Trust or Nominee Trust, \u201cClient\u201d may also refer to a\nbeneficiary of any trust administered by a Trust, Restricted Trust or\nNominee Trust.\n\nb.\n\u201cClient money\u201d includes money that a regulated entity holds or\nreceives on behalf of a Client or owes to a Client.\n\n3.\nOperational Controls\n\n3.1\nAs applicable, a Client\u2019s assets must be segregated from other Clients\u2019 assets\nand from those of the regulated entity.\n\n3.2\nClient money must be held in clearly segregated and distinct accounts from\nother Clients\u2019 accounts and any accounts of the regulated entity.\n\n3.3\nRegulated entities must ensure appropriate written disclosure to Clients on the\nterms upon which Client money is held.\n\n3.4\nRegulated entities must ensure that Client money accounts are reconciled\npromptly.\n\n3.5\nAppropriate authorisation and signing powers, at a minimum, dual signatory in\nthe event of Client money pay-outs shall be implemented, subject to Client\nagreed terms and conditions.\n\n3.6\nRegulated entities shall implement policies and procedures to prevent, subject\nto Client agreed terms and conditions, inappropriate use of Client money\nincluding the use of such Client money for the settlement of the regulated\nentity\u2019s fees and disbursements.\nR\nR\nR\nR\nR\nR\n\nRULE AND STATEMENT OF GUIDANCE \u2013 INTERNAL CONTROLS FOR REGULATED ENTITIES\n\nCayman Islands Monetary Authority\n\nPage 19 of 20\nB.\nSECURITIES INVESTMENT BUSINESS\n\n1.\nIntroduction and Scope of Application\n\n1.1.\nThe purpose of this part of the Internal Controls Rules and Guidelines is to\nestablish the obligations and provide some guidance specifically for regulated\nentities in the securities investment business sector. The regulated entities\ncovered in Section B of Part II are securities investment business licensees and\nregistered persons undertaking the regulated activities of market makers,\nbroker-dealers, securities arrangers, securities advisors, and securities\nmanagers.\n\n1.2.\nThis sector-specific guidance addresses specialised areas that require more\nand\/or different guidance or explanation than dealt with in Part I of this Rule\nand Statement of Guidance and should be read in conjunction with Part I.\n\n2.\nDefinitions\n\n2.2\nThe following definitions are provided for the purpose of this section:\n\na.\n\u201cClient\u201d, as defined in Securities Investment Business Act (As\namended), refers to a person with or for whom securities investment\nbusiness is transacted.\n\n3.\nOperational Controls\n\n3.1.\nRegulated entities must establish appropriate policies and procedures to\nminimize the potential for the existence of conflicts of interest between the\nregulated entity or its personnel and Clients. In circumstances where actual or\napparent conflicts of interest cannot reasonably be avoided, Clients must be\nfully informed of the nature and possible ramifications of such conflicts and in\nall cases, treated fairly.\n\n3.2.\nWhere a regulated entity exercises discretionary authority over a Client\u2019s\naccount, procedures must be established to ensure that the precise terms and\nconditions under which such authority may be exercised are effectively\ncommunicated to the Client, and that only transactions which are consistent\nwith the investment strategies and objectives of the relevant client, are effected\non the Client\u2019s behalf.\n\n3.3.\nRegulated entities must establish and maintain appropriate and effective\nprocedures in relation to dealing and related review processes to prevent or\ndetect errors, omissions, fraud and other unauthorised or improper activities,\nand which ensure the fair and timely allocation of trades effected on behalf of\nClients.\n\n3.4.\nRegulated entities must ensure that Client funds and property are clearly\nsegregated from funds and property of the regulated entity.\n\nR\nR\nR\nR\n\nCayman Islands Monetary Authority\n\nPage 20 of 20","akn_extracted_at":"2026-06-22 15:40:06.565376+00","cms_id":"2023-0040","law_type":"subordinate","year":"2023","number":"40","title":"Rule and Statement of Guidance \u2013 Internal Control for Regulated Entities","status":"in_force"},"provenance":{"files":[{"file_id":"5185","expr_id":"290","kind":"akn_xml","filename":"2023-0040_SL 40 of 2023.akn.xml","source_url":null,"storage_path":"\/Users\/q\/kyleg-data\/working\/SUBORDINATE\/2023\/2023-0040\/2023-0040_SL 40 of 2023.akn.xml","content_md5":"4ba5e3dfadb07244eb485598fbd7f6a7","byte_size":"51986","http_last_modified":null,"fetched_at":"2026-06-22 15:40:06.729285+00"},{"file_id":"579","expr_id":"290","kind":"pristine_pdf","filename":"2023-0040_SL 40 of 2023.pdf","source_url":"\/cms\/images\/LEGISLATION\/SUBORDINATE\/2023\/2023-0040\/2023-0040_SL 40 of 2023.pdf","storage_path":"\/Users\/q\/kyleg-data\/pristine\/SUBORDINATE\/2023\/2023-0040\/2023-0040_SL 40 of 2023.pdf","content_md5":"56c5a96cd5d8351a52fed3c42e16868a","byte_size":"819178","http_last_modified":null,"fetched_at":"2026-06-21 23:09:36.325696+00"},{"file_id":"580","expr_id":"290","kind":"working_pdf","filename":"2023-0040_SL 40 of 2023.pdf","source_url":"\/cms\/images\/LEGISLATION\/SUBORDINATE\/2023\/2023-0040\/2023-0040_SL 40 of 2023.pdf","storage_path":"\/Users\/q\/kyleg-data\/working\/SUBORDINATE\/2023\/2023-0040\/2023-0040_SL 40 of 2023.pdf","content_md5":"56c5a96cd5d8351a52fed3c42e16868a","byte_size":"819178","http_last_modified":null,"fetched_at":"2026-06-21 23:09:36.325696+00"}],"paragraph_count":166,"latest_history":null},"quality":{"expr_id":"290","doc_id":"290","quality_state":"known_issue","quality_score":"63","needs_human_review":"t","deterministic_categories":"{page_header_footer_noise,title_mismatch}","llm_categories":"{truncated_text,paragraph_numbering_problem,other}","repair_actions":"{collapse_duplicate_text,manual_review,rebuild_paragraphs,reextract_full_text,strip_page_furniture,verify_title_metadata}","finding_severity_counts":"{\"low\": 2, \"medium\": 1}","finding_summary":"Sample appears truncated mid-sentence; verify completeness and check paragraph numbering consistency.","assessed_at":"2026-06-22 15:29:46.102586+00","updated_at":"2026-06-22 15:29:46.102586+00"}}