Rules and Statement of Guidance – Nature, Accessibility, and Retention of Records for Licensees Conducting the Business of Company Management
In forcePage 1 of 12 RULE AND STATEMENT OF GUIDANCE Nature, Accessibility, and Retention of Records for Licensees Conducting the Business of Company Management
AUGUST 2023
Page 2 of 12 Table of Contents
Page 3 of 12 List of Acronyms
AMLR Anti-Money Laundering Regulations (as amended) BTCA Banks and Trust Companies Act (as amended) CA
Companies Act (as amended) CIMA CMA
Companies Management Act (as amended) IA
Insurance Act (as amended) LLCA Limited Liability Companies Act (as amended) LLPA Limited Liability Partnership Act (as amended) MAA Monetary Authority Act (as amended) MFA
Mutual Funds Act (as amended) PA
Partnership Act (as amended) POCA Proceeds of Crime Act (as amended) PTCR Private Trust Companies Regulations (as amended)
Page 4 of 12
Rule and Statement of Guidance Nature, Accessibility, and Retention of Records for
Introduction
1.1. This document (“the Rules and Guidance”) establishes the Cayman Islands Monetary Authority’s (the “Authority” or “CIMA”) Rule and Statement of Guidance on Nature, Accessibility, and Retention of Records for Licensees Conducting the Business of Company Management.
1.2. Where applicable, any acts referred to in this document include related regulations as may be amended from time to time.
1.3. The Rules and Guidance should be read in conjunction with the relevant Acts and regulatory instruments issued by the Authority from time to time.
1.4. In order to highlight the Authority’s rules within the compendium, a rule is written in light blue and designated with the letter “R” in the right margin.
Statement of Objectives
2.1. The Rules and Guidance establish minimum requirements and provide guidance to licensees under the Companies Management Act (as amended) (“CMA”), Banks and Trusts Companies Act (as amended) (“BTCA”), Mutual Funds Act (as amended) (“MFA”) and the Insurance Act (as amended) (“IA”), on the maintenance of records in a manner that promotes accessibility, retention, and appropriate security. The rules herein establish the minimum requirements whereas the guidance, not intended to be prescriptive or exhaustive, sets out the Authority’s minimum expectations of a licensee’s record keeping arrangements.
2.2. The Authority recognises that the arrangements for record keeping will vary according to the manner in which the business of the licensee is structured, organised, managed, its size, complexity, nature of business, and the risk profile of its operations. The overriding principle, however, is that the records and systems must be adequate to satisfy the requirements of the Authority and the relevant Acts and regulations.
2.3. All regulatory Acts allow the Authority to access and inspect records maintained by licensees. The Anti-Money Laundering Regulations (as amended) (“AMLRs”) also require the maintenance of certain records. It is expected that record keeping arrangements drafted to comply with the regulatory Acts may be additional to the record keeping arrangements required under other Acts and regulations.
2.4. These Rules and Guidance are consistent with the Authority’s statutory objectives as prescribed in the Monetary Authority Act (as amended) (“MAA”), in particular, Section 34 of the MAA which provides that the Authority may issue rules, statements of principles, or statements of guidance:
“(1) After private sector consultation and consultation with the Minister charged with responsibility for Financial Services, the Authority may–
Page 5 of 12 (a) issue or amend rules or statements of principle or guidance concerning the conduct of licensees and their officers and employees and any other persons to whom and to the extent that the regulatory laws may apply;”
Scope of Application
3.1. These Rules and Guidance apply to all licensees under the CMA, BTCA, MFA, and IA conducting the business of company management pursuant to Section 3(1)(a) – (l) of the CMA, as follows:
a) Acting as a company formation agent; b) Providing a Registered Office or business address for a company; ba) Establishing and maintaining beneficial ownership registers on behalf of companies and limited liability companies incorporated or formed in the Islands, offering an information technology solution to those companies and limited liability companies to make extracts of information on the beneficial ownership register searchable by the competent authority established under Part XVIIA of the Companies Act (as amended) (“CA”) and responding to requests from the competent authority about whether a company or a limited liability company or a subsidiary of the same is exempted from the application of that Part or of Part 12 of the Limited Liability Companies Act (as amended) (“LLCA”); Providing an accommodation, correspondence or administrative address for a company or for any other person; d) Filing statutory forms, resolutions, returns and notices; e) act as or fulfil the function of a person authorised to accept service of process on behalf of a foreign company carrying on business in the Islands or to accept any notices required to be served on it; f) act as or fulfil the function of an officer of a company; g) acting as a nominee shareholder for a company; h) act as or fulfil the function of director or alternate director of a company; i) acting as or arranging for another person to act as secretary, alternate, assistant or deputy secretary of a company; j) act as or fulfil the function of an authorised custodian for the purposes of the CA (as amended); k) providing other corporate services involving the control of the whole or a substantial part of the assets of a company; and providing any additional corporate services as may be specified in regulations.
3.2. The Authority acknowledges that licensees conducting the business of company management that are part of a group may be subject to group-wide record keeping practices. However, the Authority considers it important for each entity in a group structure that is a separate legal entity to adopt record keeping practices that meet the objectives of these Rules and Guidance and that are appropriate for the particular operations of that legal entity.
Page 6 of 12 3.3. Licensees conducting the business of company management must assess whether record keeping practices at the group-wide level meet the objective of these Rules and Guidance. If not, these licensees must adopt record keeping practices which align with these Rules and Guidance. Additionally, when records are kept by another member of the group, they must be accessible to the Authority.
3.4. These Rules and Guidance do not codify or amend any existing Act. Where these Rules and Guidance are incompatible with an existing Act, the Act takes precedence and prevails.
Definitions
4.1. The following definitions are provided for the purpose of these Rules and Guidance:
a) “Business of company management” has the same meaning as that prescribed in the CMA.
b) “Licensee” means a holder of a licence granted under the BTCA, CMA, IA or MFA who engages in the provision of previously specified corporate services.
“Physical Presence” involves maintaining operations at a physical location within the Islands which houses such resources, including staff and facilities, and such books and records, as the Authority considers appropriate, having regard to the nature and scale of the business.
d) “Record” for the purposes of this document includes, as applicable:
i. “Electronic record” as defined in the Electronic Transactions Act (as amended); and/or ii. “Document” as defined in the MAA, which includes paper-based records.
e) “Registered Office” means the official address of an incorporated company to which all communications and notices may be addressed, pursuant to section 50 of the CA.
General
5.1. All records must be legible and easily accessible.
5.2. Personal data must be processed in accordance with the data protection principles as set out in the Data Protection Act (as amended). The main objective of these Rules and Guidance is to protect personal data against theft, accidental loss, unauthorised access, and accidental destruction of data. Licensees conducting the business of company management should therefore have appropriate personal data security measures, records retention policies, personal data breach response plans, and processes for data subjects to be able to exercise their rights.
R
Page 7 of 12 5.3. Records must be accessible and provided by licensees conducting the business of company management to the Authority within a reasonably short timeframe. The Authority expects that most records must be provided without delay, to the Authority, or within the timeframe determined from time to time by the Authority, whether stored within the Cayman Islands or in another jurisdiction, as applicable.
5.4. Licensees conducting the business of company management must keep, maintain, and administer records as required by relevant Acts such as the CA, LLCA, Limited Liability Partnership Act (as amended) (“LLPA”), Partnership Act (as amended) (“PA”), CMA, BTCA, Proceeds of Crime Act (as amended) (“POCA”), Private Trust Companies Regulations (as amended) (“PTCR”), and any other relevant legislation.
5.5. Licensees conducting the business of company management must keep records of books of account and other financial affairs, as well as other records related to its company management business. Examples of such records include:
a) corporate accounting records; b) organisational records such as insurance coverage records and cybersecurity framework records; employee and other administrative records; d) risk management policies; e) corporate records such as incorporation documents, shareholders and directors meeting minutes and board resolutions, and beneficial ownership information; f) client records such as client communication and complaints records; g) service provider records such as copies of contracts and agreements; h) due diligence records on its clients; i) trust deeds; j) annual returns due to the Authority; and k) any other records as required by relevant Acts and/or regulations.
5.6. Record keeping must be sufficient to enable the Authority to monitor the licensee’s compliance with regulatory and anti-money laundering/counter terrorism financing/counter proliferation financing obligations.
5.7. Licensees conducting the business of company management should ensure that their records, including accounting records, are maintained using an appropriate record management system and in a manner that allows the Authority to access records. Records may be kept in a form other than a paperbased document or copy of a document, as long as the integrity of the document remains intact.
5.8. Licensees conducting the business of company management should establish and maintain a records management programme that addresses, inter alia, the categorisation of records; records retention periods for various categories of records; and the disposal of records. The records management programme should include a comprehensive records retention policy in accordance with all relevant regulatory acts, regulations and measures.
5.9. Records must be maintained in a manner that ensures that they are kept upto-date at all times as far as is reasonably practical. There should be no R
Page 8 of 12 unjustifiably excessive delays in the adequate maintenance of records, including keeping relevant records up-to-date.
5.10. Licensees conducting the business of company management may accept and rely on records supplied by a third party as long as those records are capable of being, and are, reconciled with records held by the licensee.
5.11. Where it is impractical for a licensee conducting the business of company management to maintain its own records and records are retained by a third party, the licensee maintains ultimate responsibility for records retention and ensuring records can be retrieved in a timely manner. The licensee conducting the business of company management remains responsible for compliance with all record-keeping requirements and for accessibility of records by the Authority.
5.12. Licensees conducting the business of company management must ensure that all due diligence information on its clients and transaction records related to its company management business are available without delay upon request by the Authority.
Records Retention Timeframe
6.1. Licensees conducting the business of company management must maintain records for a minimum period of five years after each related transaction date or any other period as stipulated in the relevant Acts and/or regulations.
6.2. This minimum retention period requirement is not intended to contravene other legal obligations. Licensees conducting the business of company management may have to keep records for periods longer than five years. For example, where a fiduciary relationship has been formed with clients it may be necessary to keep records for longer periods of time.
Elements of Records Management Programme
7.1. Licensees conducting the business of company management must maintain adequate procedures for the availability, maintenance, security, privacy, and preservation of records, working papers, and documents of title belonging to the licensee, clients, or others so that they are reasonably safeguarded against loss, unauthorised access, alteration or destruction. This includes records retained electronically or by any other medium.
7.2. Records should be retained in the English language or be professionally translated (i.e., the translation is completed by an individual and/or entity duly qualified to do so) into written English without delay at the request of the Authority. Where records are translated, the original language version must be retained.
7.3. Where licensees conducting the business of company management maintain records belonging to another licensee conducting the business of company management who is a client, it should ensure that the client’s records are maintained in accordance with these Rules and Guidance.
R
Page 9 of 12 7.4. A licensee conducting the business of company management should review its record keeping arrangements at least once per year, including where third parties are involved, and make adjustments if necessary.
7.5. The Authority understands that in the normal course of doing business, there will be instances where there is a merger, transfer, or discontinuance of activities. Nonetheless, the Authority expects that licensees conducting the business of company management have a plan in place for the treatment of records once an entity ceases to carry on business. The Authority must be informed of where and how records may be accessed once a licensee conducting the business of company management ceases to carry on business. Notwithstanding, upon cessation of business, record keeping requirements should be met for the period required by the relevant Acts and/or regulations.
Keeping of Accounting Records/Books of Account
8.1. A licensee conducting the business of company management must record information necessary to give a true and fair view of the state of the licensee’s affairs and to explain any transaction carried out on its behalf and/or its client’s. This information will be required by the Authority and must be maintained in such a way so as to enable a particular transaction to be identified at any time and appropriately traced, in particular, to enable early identification of balances and of the particular items which make up those balances.
8.2. A licensee conducting the business of company management must keep proper accounting records/books of account in such a manner that they are sufficient to show and explain the transactions and commitments related to its company management business (whether effected on its own behalf or on behalf of others, including clients) and in particular so that these records:
a) disclose with accuracy and completeness the financial position for a minimum of five years of operation or for a time period as required under the AMLRs; b) demonstrate whether or not the licensee conducting the business of company management is or was at that time complying with its financial resources’ requirement, where applicable (e.g. capital requirements); and enable the licensee conducting the business of company management to prepare, within a time period specified by the Authority, any financial reporting required by the Authority as at the close of business for any date within the previous five years, and that the statement complies with the requirements of the Authority.
8.3. A licensee conducting the business of company management should ensure that its accounting records/books of account relating to its company management business shall as a minimum contain:
a) a record of all assets and liabilities including any commitments or contingent liabilities; b) a record of all income and expenditure explaining its nature; a record of all investments or documents of title in the possession or control of the licensee conducting the business of company management, showing the physical location, the beneficial owner, the R
Page 10 of 12 purpose for which they are held and whether they are subject to any charge; d) entries from day to day of all sums of money received and expended whether on its behalf or on behalf of others (including clients), and the matters in respect of which the receipt and expenditure takes place; e) entries from day to day of all purchases and sales of investments distinguishing those which are made by the licensee conducting the business of company management on its own account or those which are made by or on behalf of others (including clients); and f) entries from day to day of the receipt and dispatch of documents of title, which are in the possession or control of the licensee conducting the business of company management.
Maintenance of Records Outside of the Cayman Islands
9.1. A licensee conducting the business of company management that maintains their accounting and other records in a jurisdiction other than the Cayman Islands, should also ensure that:
a) the data is kept secure and operational risk is mitigated; and b) they are familiar with the Confidential Information Disclosure Act (as amended).
9.2. When records are held outside of the Cayman Islands, licensees conducting the business of company management must ensure that the Authority has access to records regarding the entity or its clients at all reasonable times in accordance with the relevant Acts and within the time stipulated in Rule 5.3.
9.3. Where records are maintained outside the Cayman Islands through outsourcing, storage, or other arrangements, the licensee conducting the business of company management remains ultimately responsible for record keeping requirements and accessibility to records by the Authority.
9.4. A licensee conducting the business of company management should not keep relevant records outside the Cayman Islands if access to those records by the Authority is likely to be restricted or delayed by laws and/or regulations governing the jurisdiction outside of the Cayman Islands. Where such restrictions exist, it is expected that the licensee maintain the same records within the Cayman Islands.
Electronic Records
10.1. It is expected that a licensee conducting the business of company management applies to electronic records, the same requirements associated with paperbased records. The conversion of paper-based records to electronic records via scanning or otherwise, and the consequent creation, retention, storage, and disposal of such records (for example, using emerging technologies such as cloud-based services) should adhere to the same record-keeping standards as paper-based records.
10.2. The Authority understands that electronic records can be more practical than paper-based records for disaster preparedness and storage reasons. Records retention may be in the form of electronic records unless specified otherwise
R
Page 11 of 12 by relevant Acts and/or regulations. Electronic records must be of good quality, an accurate reflection of the paper-based record (where one exists), complete and unaltered, easily accessible, and reproducible in hard copy.
10.3. The Authority expects that caution is used against the premature destruction of paper-based records which have been converted to electronic records. A licensee conducting the business of company management should be satisfied that, inter alia, there are safeguards in place for the conversion of paper-based records. Legal, regulatory, and organisational requirements and recommendations should be key determining factors in the retention of paperbased records.
10.4. The conversion of any paper-based record to an electronic record must not hinder the availability of such records to the Authority. The use of technology to handle records does not absolve a licensee conducting the business of company management from any record-keeping obligations under relevant Acts and/or regulations.
10.5. The Authority expects that licensees conducting the business of company management will comply with the Electronic Transactions Act (as amended).
Enforcement
11.1. Whenever there has been a breach of the Rules contained herein, the Authority’s policies and procedures as contained in the Enforcement Manual will apply, in addition to any other powers provided in the regulatory Acts and the MAA.
Effective Date
12.1. For all new licence applicants, the Rules and Guidance will come into effect immediately on the date the measure is published in the Gazette.
12.2. For existing licensees, the Rules and Guidance will come into effect on 1 April
R
Page 12 of 12