The scope of the Compliance Monitoring Program is to analyse and suggest methods which will be applied throughout the compliance year in order to ensure the compliance of the company with legislation, rules and regulations applicable to entities licensed by the Malta Financial Services Authority (“MFSA”).
The Compliance Monitoring Program shall apply for a particular reporting period that should not exceed one year (the “Reporting Period”), following which the Compliance Officer shall carry out a fresh risk assessment to identify the areas which require the most attention and shall present the Board of Directors (the “Board”) with a new compliance monitoring program.
Assessment of Critical Compliance Risk Factors
Prior to the drawing up of the Compliance Monitoring Program, the Compliance Officer shall carry out a careful assessment on the operations of the company and shall identify the relevant major risk factors which are more likely to disrupt the compliance of the company with applicable laws and regulations.
A risk-based approach is the most appropriate tool to determine the topics of main concern and the focus of the monitoring, advisory and assistance activities to be performed. As ESMA guides “The compliance risk assessment should be reviewed on a regular basis, and, when necessary, updated to ensure that the objectives, focus and the scope of compliance monitoring and advisory activities remain valid”.
This risk assessment can be undertaken by reviewing the operation of the company during the preceding compliance reporting period, the compliance reports, as well as the minutes of the Board meetings during the previous reporting period. Following the identification of these risk factors, the Compliance Officer shall identify the areas to which particular priority must be given in the carrying out of the compliance monitoring function during the coming Reporting Period (the “Focused Areas”).
Against this background, the Compliance Officer shall draw up the Compliance Monitoring Program which will facilitate the determination of the priorities and will guide the Compliance Officer in focusing his efforts on the areas which require the most attention.
Frequently Identified Focused Areas
As mentioned above the identification of the Focused Areas shall be based on the major risk factors which are more likely to disrupt the compliance and shall reflect the changes on the risk profile of a company. Thus, it is not always easy to identify areas of monitoring applicable above board especially since the Focused Areas vary from one company to another, in line with the scope and the nature of the activities performed by each licensed entity.
However, we have tried to gather and outline hereinafter, as examples, some of the areas that every so often make it to the list of Focus Areas of several regulated service providers in the financial sector.
- Monitoring and Due Diligence on Service Providers
As part of his monitoring obligations the Compliance Officer shall monitor third-party service providers to whom functions of the regulated company have been outsourced (“Service Providers”). Such monitoring can be affected by carrying out visits to the offices of the Service Providers, by requesting due diligence documentation on the Service Providers, by ensuring that such due diligence documentation is kept up to date and by requesting sufficient information relevant to the functions being carried out by the Service Provider on behalf of the company.
The Compliance Officer shall also ensure that the company has all the required due diligence documentation of all Service Providers, including but not limited to the following:
- Copy of the licence granted to the Service Provider authorising it to carry out the activities being outsourced, as applicable;
- Identification documentation of key individuals of the Service Provider who will be assigned to the Company on behalf of the Service Provider to carry out the outsourced function;
- Fully executed and dated Service Agreement.
- Mitigation and Reporting of Breaches
The Compliance Officer shall also focus on ensuring that the company has appropriate control measures in place to identify, prevent, and mitigate breaches of compliance by members of the staff.
The Compliance Officer shall implement the Register of Breaches and shall ensure that such Register is kept updated with sufficient record keeping of any breaches being disclosed or identified. The Compliance Officer shall establish and implement internal policies and procedures relevant to the reporting of breaches and shall test effectiveness in identifying and preventing breaches of compliance.
- Review of Internal Policies and Procedures
It should be a prerogative of the Compliance Officer to ensure that all internal policies and procedures are discussed and subsequently approved by the Board and put in place.
The Compliance Officer, based on the pressing necessities of the company and risks involved, may decide to review only a certain number of internal policies during the Reporting Period. At the end of the Reporting Period, following the risk assessment, the Compliance Officer may decide to focus his attention on the internal policies and procedures which were not subjected to review and testing during the Reporting Period.
- Record Keeping
The Compliance Officer shall keep sufficient records on the compliance status of the company and should ensure that a Compliance Report is drawn up and presented to the Board for its approval. The Compliance Report shall outline the methods and findings relevant to the compliance status of the Company. We usually suggest that this report is submitted monthly.
- Regulatory Calendar of Submissions
It is advisable that the Compliance Officer compiles a calendar to include all the required regulatory submissions applicable to the company and presents such calendar to the Board for its approval. On a monthly basis, or on the submission of each Compliance Report, the Compliance Officer may decide to provide an update on the required regulatory submissions relevant to the upcoming month or period.
- Staff Awareness
Another Focused Area frequently identified by regulated entities relates to the training obtained their professionals. The Compliance Officer shall monitor the provision of frequent training sessions to the staff on the internal rules, procedures, and manuals of the company. Sufficient written records of any training sessions provided to or attended by staff members of the company shall be kept by the Compliance Officer in the Staff Training Log.
In addition to the Focused Areas identified by the Compliance Officer in the Compliance Monitoring Program, the Compliance Officer shall encourage the company to come forth with any further suggestions or measures in order to ensure compliance with legislation, rules and regulations applicable to the Company as a licensed entity in Malta.
It is worth repeating that at the end of the Reporting Period the Compliance Officer shall carry out a fresh risk assessment to identify the areas which require the most attention.
Frequency and Methodologies of Assessment
Identifying the Focused Areas is not enough. The Compliance Monitoring Program shall also lay down the manner and the frequency in which the monitoring will be carried out on the Focused Areas outlined to better set the work and allocate the resources efficiently during the Reporting Period.
The frequency should reflect the changes to the company’s risk profile. These changes may occur, for example, in case of significant events such as corporate merger and acquisitions, IT framework changes, or company reorganisation.
The monitoring and testing can be carried out in different ways, including but not limited to review of documents, policies and procedures manuals, interviewing of involved employees, testing of samples etc. It is important that the desk-based monitoring activities are combined with on site inspections to ensure the effective implementation of the relevant processes.
Following his/her monitoring activities, the Compliance Officer shall present to the Board the results of the tests carried out, provide regular updates on the progress of the Compliance Monitoring Program, and issue recommendations to the Board based on the results of the tests carried out.
The information contained in this write up is provided for general informational purposes only. It does not, and is not intended to, constitute legal advice on any subject matter. You should not act or refrain from acting on the basis of any content included in this write up without seeking legal or other professional advice for your individual situation.