CORPORATE GOVERNANCE FINDINGS
3.1 Oversight of Investment Advice Cycle and Product Approval Process
The Commission would expect a Registered Person to evidence appropriate oversight of the investment services it provides, by demonstrating that all relevant investment discussions and decisions are formally recorded and escalated to the Board of Directors (the “Board”).
Specifically, a Registered Person should ensure that consideration and subsequent approval or rejection of a new investment product, and the monitoring of existing products, is clearly evidenced and escalated, as appropriate.
One way that Registered Persons can effectively demonstrate oversight of their investment business activities is to ensure sufficient and appropriate management information is produced and reviewed on a periodic basis.
However, the Commission noted a number of instances where insufficient management information prevented a Registered Person from demonstrating that it maintained accurate and reliable records and had sufficient oversight of its investment recommendations.
3.2 Compliance Monitoring Programme (“CMP”)
To enable a Registered Person to demonstrate compliance with paragraph 3.5 of the IB Codes, the Commission would expect a Registered Person to establish a robust and effective CMP in order to ensure:
- compliance with the relevant Laws, Orders and Codes; and
- appropriate monitoring of operational performance and
- promptly instigating action to remedy any deficiencies in such arrangements.
The Commission would expect a Registered Person’s CMP to form part of its overall risk management framework.
Accordingly, a CMP must be appropriately tailored to the risks present within a Registered Person’s business. However, the Commission identified a number of instances where the CMP was not adequately tailored. For example, there were instances where a high frequency of monitoring was performed on lower risk areas, whilst high risk areas were only tested once a year.
The Commission noted examples where the Registered Person’s CMP had identified non-adherence to internal systems and controls; however, it did not document what remedial action was required and who was responsible for completion of these tasks.
The Commission also identified examples where there was no record of the conclusion of the remedial action or the date on which it was completed.
Additionally, the Commission noted that the CMP did not always refer to the relevant Laws, Orders and Codes. Registered Persons should also refer to the Commission’s Guidance Note: Compliance Monitoring (Issued 6 December 2013) which is available on the Commission’s website:
Finally, the Commission identified a number of instances where Registered Persons were unable to evidence that findings from the CMP were reported to the Board. In one case, the Registered Person’s Board had never reviewed the effectiveness of its
CMP.
In order to demonstrate compliance with paragraph 3.5.3.4 of the IB Codes, the Commission would expect the Compliance Officer to escalate findings from the CMP to the Board for consideration.
Appropriate escalation of these findings to the Board provides an opportunity for the Compliance Officer to present any recommendations that he or she may have and, therefore, allows the Board to determine whether to act upon these recommendations.
3.3 Business Risk Assessment (“BRA”)
To ensure compliance with the requirements of the IB Codes and AML Handbook, a Registered Person must ensure it has assessed the risks faced by its business, documented these risks and provided details of how these risks are monitored and controlled. The AML Handbook requires that the Board’s assessment of the Registered Person’s risk must be assessed on an on-going basis.
Examples of risks that a Registered Person may wish to consider are, but are not necessarily limited to:
- Country Risk;
- Reputational Risk;
- Market Risk;
- Financial Risk;
- Operational Risk;
- Fraud/Criminal Risk;
- Liquidity Risk;
- Key Person Risk;
- Regulatory/Compliance Risk;
- New Product Risk.
- Legal Risk;
To fully comply with the requirements of the IB Codes, a Registered Person’s risk assessment should be holistic and not focused only on addressing the requirements of the AML Handbook. Such holistic risk assessments may be documented separately
from the BRA.
The Commission identified examples where the BRA consisted of generic risk categories (for example, operational risk) but did not provide further details in relation to the Registered Person’s exposure and management of operational risks specific to the business.
For example,
- the Commission would expect the BRA to highlight how a breakdown of controls relating to the advice cycle could increase the Registered Person’s exposure to the risk of providing incorrect advice, or not providing advice when it would be appropriate to do so.
The Commission noted that, in a number of cases, the Registered Person’s Board did not consider the effectiveness of its BRA on an on-going basis. The Commission identified one particular example where the Board had not reviewed its BRA for a period of three years.
In light of the above, the Commission would encourage all Registered Persons to review and update, where necessary, relevant policies and procedures to ensure compliance with the requirements of the IB Codes and the AML Handbook, specifically covering the requirement for the Board to review and consider the effectiveness and appropriateness of the BRA on a regular basis.
3.4 Conflicts of Interests
The Commission considers the identification and management of actual and potential conflicts of interest as fundamental to a Registered Person’s regulatory risk framework.
The IB Codes require Registered Persons to take reasonable steps to avoid, where possible, conflicts of interest and, where conflicts do arise, the Registered Person must have adequate policies and procedures in place to ensure these are disclosed and appropriately managed. It is incumbent upon the Registered Person to ensure that there are effective controls in place.
The Commission noted a number of instances where conflicts were not identified or recorded within a Conflict of Interests Register. There were also instances where conflicts were recorded; however, the register did not record the date on which a conflict was identified.
The Commission also observed instances where recorded conflicts were not being managed in the manner required by the Registered Person’s Conflicts of Interest Register.
Loading...