In 2020, as part of its oversight and prudential supervision, the Securities and Markets Supervision function within Malta Financial Services Authority (the “MFSA”) carried out several onsite visits to the offices of companies involved in investment services and investment management related activities in Malta. The key findings and recommendations were highlighted in a document, titeled “The Nature and Art of Financial Supervision”, Volume IV, issued on the 7th April 2021. The purpose of this document is to describe the MFSA’s approach to the supervision of fund managers, including alternative investment fund managers, UCITS management companies, de-minimis fund managers, and collective investment schemes (Alternative Investment Funds, UCITS funds, and Professional Investor Funds).
As part of our weekly write ups on compliance related matters, we would like to focus on the findings and recommendations provided by the MFSA in relation to outsourcing of the Compliance Function, the compliance reporting, and the compliance monitoring program.
Outsourcing of the Compliance Function
The MFSA emphasises the importance of communication between the outsourced Compliance Function and the regulated entities mentioned above. The Compliance Function, especially when all or part of the compliance tasks are outsourced, should:
- Take an active role within the regulated entity;
- Be involved beyond the mere submission of the Compliance Report;
- Be involved beyond the mere preparation of the Compliance Monitoring Program;
- Develop proper communication lines with the Board of Directors;
- Develop proper communication with the key function holders;
- Be updated with the key developments within the regulated entity;
- Be well versed with the services and activities provided by the regulated entity and with the compliance status of the regulated entity;
- Dedicate adequate time and resources to its duties.
Compliance Reporting
The MFSA reiterates that as part of the board pack, the Board of Directors of the regulated entities shall be presented with periodical compliance reports. These reports should be in line with the applicable rules and should outline the required confirmations and should provide an update on the relevant compliance matters that are covered during the reporting period.
Moreover, the MFSA states that good compliance practice requires that the compliance reports do not merely provide the required confirmations but also provide certain updates to the Board, namely:
- Updates on the Compliance Monitoring Program progress conducted throughout the year and the escalation of any findings identified;
- Updates on any local and international regulatory developments relevant to the regulated entities; and
- Updates on the submission of regulatory filings.
Other relevant matters that should be captured by the compliance reports include the following:
- Deficiencies or breaches which occurred during the period and an update on any pending matters, which could potentially lead to breaches;
- The checks conducted by the Compliance Function, highlighting any findings made and a recommended way forward.
The compliance reports should be annexed by a report drawn by the Compliance Function on the findings evidenced, and the recommendations provided, in case of onsite or offsite checks carried out.
Compliance Monitoring Program
The MFSA stresses out the importance of utilising the Compliance Monitoring Program as a monitoring tool. Therefore, the Compliance Function should provide, in the compliance reports, adequate updates on such program. These updates should be detailed and should be accompanied by supporting documentation.
The MFSA also reconfirms that the Compliance Monitoring Program should:
- Establish the activities, risk areas, policies and procedures of the regulated entity which will be monitored and tested during the year;
- Clearly outline the compliance monitoring to be carried out by the Compliance Function in a particular year, ensuring to identify and monitor high-risk areas which are relevant to the regulated entity;
- Not be of a general nature;
- Highlight and identify the frequency of checks to be conducted and/or specific procedures to be monitored/tested by the Compliance Function;
- Identify specific features and/or highly relevant processes or issues of the particular regulated entity;
- Be a live document, dynamic, and adapted to changes within the regulated entity, the industry and regulatory environment;
- Not focus on the same identical checks year after year;
- Be annexed by sufficient documentary evidence (reports, findings and recommendations) that the checks and tests highlighted are being undertaken in the frequency stipulated;
- Not approach the compliance as a tick the box exercise or simply as a regulatory calendar but should serve as a highly relevant compliance plan for the year;
- Commensurate the compliance reviews and checks conducted with the nature, scale and complexity of the operations of the regulated entity and should be tailor-made for the specific regulated entity;
- Be based on a risk assessment exercise carried out by the Compliance Function prior to its drawing up.
Furthermore, the MFSA reiterates that the Compliance Function “should not only focus on the design of the Compliance Monitoring Program, but also the execution of such a plan, which is to be evidenced accordingly through supporting documentation such as offsite/onsite reports relating to the checking undertaken, also highlighting recommendations made”.
For further information on the subject matter, please contact us at [email protected].
The information contained in this write up is provided for general informational purposes only. It does not, and is not intended to, constitute legal advice on any subject matter. You should not act or refrain from acting on the basis of any content included in this write up without seeking legal or other professional advice for your particular situation.
