The purpose of the Compliance Policy is to set out high level principles, and to outline the policies, measures, and controls that the regulated entity has in place in order to ensure that the decisions and actions are in compliance with the rules and regulations applicable to the regulated entity. The Compliance Policy shall apply to all services and activities of the regulated entity and shall form part of its governance framework.
The said policies, measures, and controls should be resting on the notions of effective management, reviewing processes, clear reporting lines, regular testing, and staff awareness. Reviewing, monitoring, reporting, and testing processes shall be carried out by the Board of Directors (the “Board”) and through the independent Compliance Function. The Compliance Policy shall expressly address and contain provisions to guide the regulated entity and the Compliance Function at least in relation to the following matters:
Effective Management – The regulated entity shall be effectively directed and managed by at least two directors of good repute and with sufficient knowledge, experience and expertise, satisfying the ‘fit and proper’ test referred in the applicable rules, and subject to the due diligence and prior approval of the Malta Financial Services Authority (the “MFSA”). All the directors should be involved in the strategies and decision-making process and frequent meetings of the Board shall be conveyed for pertinent issues to be discussed and major decisions to be taken.
Reviewing – To ensure compliance with applicable laws and regulations of all decisions adopted by the regulated entity, every Board Meeting shall dedicate sufficient time for reviewing the major actions and decisions taken in the previous period under review.
Role of Compliance Function – The Compliance Policy shall expressly set out the powers and responsibilities of the Compliance Function. The Compliance Function shall be responsible to review all aspects of compliance of the regulated entity and shall demonstrate independence of judgement and exercise proper day-to-day control over the activity of the regulated entity. The Compliance Function shall take all necessary steps and shall be granted the necessary powers and tools to ensure the proper and effective compliance, including but not limited to, carrying out unexpected visits to the offices of the regulated entity and its third-party service providers, and to search files of the regulated entity and its third-party service providers with the sole purpose of reviewing compliance.
Compliance Procedures Manual – A manual may be drafted by the Compliance Function outlining the rules and regulations applicable to the regulated entity and identify the frequency of review or monitoring which will be conducted by the Compliance Function and the manner (action points) in which the Compliance Function will be conducting its compliance monitoring exercise with respect to each applicable rule.
Compliance Monitoring Programme – At the beginning of every calendar year, the Compliance Function shall provide the regulated entity with an annual Compliance Monitoring Programme outlining the methods and procedures which will be used by the Compliance Function in minimising the risk of non-compliance throughout the upcoming year.
Compliance Visits – The Compliance Policy shall grant the Compliance Function the right to conduct compliance visits to the offices of the regulated entity and/or to the offices of third-party service providers to carry out independent checks by conducting interviews and by carrying out review of random samples of files and documentation for the sole purpose of ensuring compliance.
Reporting – The Compliance Policy shall establish the procedures to be followed for the reporting of the decisions and actions taken by the staff in the day-to-day business and the approval of the same by the senior officials. It should also elaborate on the proceedings of the Board and on the reporting of the Compliance Function to the Board. The reporting methods adopted shall ensure that the Board of the regulated entity is aware of the status of its compliance and shall enables it to act on any shortcomings.
Testing of Control Measures – The Compliance Policy shall also establish the requirement that its systems, internal control mechanisms and arrangements are monitored regularly, and their effectiveness is evaluated on a regular basis to ensure compliance with the relevant rules and regulations. These include the Procedures Manual, the Business Continuity Plan and the Compliance Policy amongst other policies and procedures.
Staff Awareness – One of the most practical ways to ensure compliance of the regulated entity is to have all its employees and members fully aware of the importance of compliance, what constitutes compliance, how compliance is achieved, and what could lead to a breach of non-compliance. Therefore, the Compliance Policy shall illustrate the measures adopted by the regulated entity to ensure that all its employees and members are fully aware of the compliance issues and aware of the measures, policies and content found in the Compliance Policy, and the other internal policies and procedures of the regulated entity.
Staff Training – The most effective way to ensure awareness of all the employees is to provide staff training. Internal staff training dedicated to the issues of compliance and to the awareness of the Compliance Policy and other internal policies and procedures should be provided frequently. Additionally, the regulated entity may consider covering the costs of any external training, seminars and conferences attended to by any interested staff members, which deal with the area of compliance with applicable laws and regulations to further incentivise staff in attending such training.
Review of the Compliance Policy – The Compliance Policy shall be reviewed at least once a year, however, should there be changes in the measures and manners in which compliance is ensured, the policy should be reviewed and updated accordingly.
The information contained in this write up is provided for general informational purposes only. It does not, and is not intended to, constitute legal advice on any subject matter. You should not act or refrain from acting on the basis of any content included in this write up without seeking legal or other professional advice for your particular situation.