In a report released yesterday, the FMA shared the findings from its supervisory activities over the last 18 months. While the report noted that it did not identify issues within all entities and many entities were working hard to move towards the regulators' expectations, the FMA says that there were still many issues arising.
The report focusses on the key categories of issues arising (providing anonymised examples). It urges all entities that the FMA supervises (including Financial Market Supervisors, QFEs, AFAs, Derivatives Issuers, MIS managers, DIMS and other entities whose activities are covered by the FMCA) to:
The report signals that the FMA's monitoring programme for the coming year will include a strong focus on the four key areas of concern identified in the report:
-
Governance and oversight
-
Conduct and culture
-
Compliance Assurance Programmes
-
AML/CFT reporting entities
Particular attention in the upcoming monitoring programme will also be given to AFAs and QFEs. This is both as a result of recent FMA supervisory findings in those sectors, and in preparation for the transition to the new financial advice regime in 2021.
The key takeaway for us from the report is that entities need to get the basics of their corporate governance, conduct risk management, compliance programme (and, in particular, assurance over that compliance programme) right and to allocate sufficient resources to make this happen.
Crucially, the report contains a stark message that, given the maturity of the regulatory regime and the clear expectations that the FMA has set, entities should anticipate a robust enforcement response (including court proceedings) if entities do not meet their obligations. There is a further implication that, if an entity breaches its obligations, the FMA's choice of enforcement response may be influenced by whether or not the entity could have avoided the breach had it taken account of the findings and recommendations in the report.
A summary of the key areas of concern for all regulated entities are set out below. The report also contains separate sector-specific findings for Financial Market Supervisors, Derivatives Issuers, AFAs and QFEs. Consistent with the FMA's messaging, we recommend all entities supervised by the FMA read the full report here. Entities should ensure that they have appropriately considered the FMA's Good Conduct Guide, the FMA's Corporate Governance Guide and the FMA's earlier guidance on Compliance Assurance Programme requirements.
Please contact one of our experts if you wish to discuss the FMA's report and expectations or any other aspect of your corporate governance, compliance architecture, or Compliance Assurance Programme.
Governance and oversight
The FMA breaks this theme into three main categories:
Corporate Governance
The FMA has encouraged entities to revisit governance basics, including as outlined in the FMA's Corporate Governance Handbook. The FMA says that their monitoring found:
-
some board directors did not have a good understanding of corporate governance or their entity’s obligations;
-
issues with some board's characterisation of who could properly fulfil the role of an independent director;
-
reporting to the board lacking sufficient detail, or being too lengthy for directors to reasonably review; and
-
failures to periodically review the effectiveness of the board.
Risk and compliance resourcing
Some entities had insufficient resources to effectively support the management of risk and compliance, including documenting, implementing, maintaining and reviewing the related frameworks, policies and procedures. The FMA has said that it will expect:
-
Responsibilities for managing risk and compliance to be clearly defined.
-
Compliance managers to have adequate knowledge of the entity’s policies, operating model and/or obligations.
-
Adequate risk and compliance frameworks, policies and procedures to be in place.
Oversight of outsource providers and other third parties
Monitored entities outsource a range of functions including investment management, distribution/sale of products, compliance assurance and IT services. The FMA stressed that entities remain responsible for any functions that they outsource. The FMA:
-
noted a range of weaknesses found in the oversight of outsource providers in some instances; and
-
stated its expectation that entities conduct due diligence before engaging an outsource provider. This should include reviewing the outsource provider’s processes and controls and monitoring the provider's performance. Ideally, monitoring will be conducted by the entity and go further than relying solely on reports from the provider itself.
Conduct and culture
Over the last 18 months, the FMA monitored conduct and culture in a wider range of entities than just the retail banks and life insurers that were the subject of reviews in 2018. Many findings of weakness and recommendations were similar to those observed in the bank and life insurers feedback. For example, the FMA found that regulated entities should focus on the following areas:
-
Improving governance of conduct.
-
Establishing effective mechanisms to identify and manage conduct risks.
-
Focusing on customers’ needs and outcomes.
-
Ensuring the needs of vulnerable customers are addressed.
-
Establishing processes to manage customer complaints, or for staff to report conduct issues.
The report also expands on earlier FMA messaging that, to maintain trust in the financial system, entities should have customers at the heart of their business models and governance.
The FMA expects that all entities will undertake and document an assessment of their business against the principles in the FMA Conduct Guide (and related conduct guidance issued) and address any gaps. It also emphasised that, all entities should constantly revisit whether their processes and their treatment of customers lead to best customer outcomes. Entities should not wait for issues to be raised by customers or regulators.
Compliance Assurance Programmes (CAPs) – time to recap
The report said that the FMA found numerous examples where entities' CAPs did not meet the minimum standards or were poorly designed. It is clear from the detailed findings in this part of the report that the FMA is looking for a maturity uplift by regulated entities in this area.
We recommend that FMC entities should swiftly reassess whether their CAPs are fit for purpose, including by reference to the FMA's 2018 information sheet on its expectations for CAPs.
To recap, we note that the FMA has explained that it considers a CAP as different to an entity's "compliance programme". The purpose of a CAP being to provide assurance to the entity's oversight body that the underlying compliance programme is operating effectively and ensuring the ongoing compliance of the business. Licensed Supervisors and AML/CFT Reporting Entities are required to have similar assurance policies, procedures and controls.
In addition to the report's focus on CAPs, the report provides examples of a range of other compliance and controls weaknesses that the FMA identified in its supervisory work. The FMA's expectations arising from these findings can be summarised as being to:
-
comply with all their obligations on an ongoing basis, and to engage with the FMA when they identify any compliance issues;
-
have an appropriate set of policies and procedures that are suitable for the size and nature of their organisation;
-
comply with their obligations by ensuring that appropriate training is provided to staff and records of the training is kept; and
-
communicate clearly and honestly with customers.
Get in touch
Please contact one of our experts if you wish to discuss any aspect of this note or the FMA's report.
This article is intended only to provide a summary of the subject covered. It does not purport to be comprehensive or to provide legal advice. No person should act in reliance on any statement contained in this publication without first obtaining specific professional advice. If you require any advice or further information on the subject matter of this newsletter, please contact the partner/solicitor in the firm who normally advises you, or alternatively contact one of the partners listed below.