MFSA Expectations for Corporate Governance of Company Service Providers - An Analysis

Effective corporate governance is a fundamental pillar for the proper functioning and success of any financial services business. The Malta Financial Services Authority (MFSA) places great emphasis on assessing the corporate governance frameworks of Company Service Providers (CSPs) both during the authorization process and as part of its ongoing supervisory activities.

This article explores the key themes and expectations set out by the MFSA in relation to corporate governance practices of CSPs.

Time Commitment.

One of the core elements of good governance that the MFSA focuses on is the time commitment of approved persons performing controlled functions within the CSP. The fitness and properness assessment conducted by the Authority scrutinizes whether individuals are able to dedicate sufficient time to carry out their roles effectively. CSPs need to ensure that key persons' time commitments remain adequate on an ongoing basis and are not diminished after receiving the authorization.

Dual Control.

The principle of dual control, requiring the CSP to be effectively directed or managed by at least two persons, is another crucial governance requirement. The MFSA expects both individuals to have sufficient experience and knowledge of the business, with neither one being overly dominant in the decision-making process. CSPs should maintain records evidencing adherence to dual control.

Yearly Assessments.

In certain cases where CSP activities are provided as ancillary to the main business, the MFSA has required CSPs to conduct yearly assessments to determine if increases in staff complement are needed to support higher business volumes. Thorough documentation of such assessments is necessary.

Knowledge of Regulatory Framework.

Having a robust understanding of the regulatory framework is an essential component of the fit and proper standards for CSPs. The MFSA expects applicants and CSPs to demonstrate a clear grasp of the high-level principles and requirements set out in the CSP Rulebook. Lack of familiarity raises concerns about competence.

Fitness & Properness.

The fitness and properness of approved persons is an assessment that persists on an ongoing basis. CSPs should carry out their own in-depth evaluations of proposed individuals' propriety and suitability prior to appointing them. Transparency with the MFSA is crucial - approved persons must proactively inform the Authority of any material facts that could impinge on their fitness and properness.

A Culture of Compliance.

Instilling a strong compliance culture within the CSP is a key responsibility of its Board of Directors. The MFSA expects directors to take an active role in promoting good corporate governance and ensuring compliance with regulatory requirements. Policies and procedures should be tailored to detect and mitigate risks. Staff should have clear reporting lines, responsibilities and regular training on applicable regulations and internal processes.

The MFSA rules require a minimum of two directors for CSPs established as companies. Both must be fit and proper with the knowledge, experience and personal qualities to effectively apply the four eyes principle in managing the CSP's operations.

The compliance officer also plays a vital independent role in overseeing adherence to regulations and should have sufficient seniority to take decisions that may be unpopular or challenge directors.

Board efficiency.

During supervisory interactions, the MFSA has identified some weaknesses in Board engagement and minute-taking. Detailed minutes of Board discussions on key strategic and risk matters are often lacking. In some cases, Board members did not have a comprehensive understanding of the CSP's operations due to the presence of a dominant director. Combining Board roles with other controlled functions also raised concerns about conflicts and independence.

Policies & Procedures.

While policies and procedures were generally present, the MFSA noted instances of missing documents like outsourcing policies or lack of detail on the practical application of certain procedures. Inadequate policies, for example around client risk assessment, resulted in deficiencies in actual practices.

Onboarding process.

In the client onboarding process, the MFSA stresses the Board's ultimate responsibility for decisions, even where parts of the process are delegated. Dual control should always be applied in onboarding, with at least two directors or approved persons being involved. Client agreements were sometimes found to have missing information or signatures.

Formal written agreements.

Where CSPs share resources or outsource functions within a group, the MFSA expects to see formal written agreements in place governing these arrangements. Regulatory registers like risk and complaints registers should be complete with all necessary details recorded.

Timely filing of regulatory returns.

Timely filing of regulatory returns remains an important obligation and the MFSA noted a few cases of late submissions, which may reflect governance weaknesses. CSPs offering directorship services must hold regular client Board meetings with proper records and ensure statutory filings are made on time to avoid penalties for clients.

Moreover, transparency and cooperation with the MFSA is paramount. The Authority expects to be promptly notified of resignations and appointments of approved persons. Information requests from the MFSA should be responded to in an open, complete and timely manner.

Concluding remarks.

In conclusion, the MFSA has clear expectations around the governance, controls and conduct it requires from authorized CSPs. The Authority takes a proactive approach in assessing how CSPs implement these standards in practice. By embedding robust corporate governance frameworks and a culture of compliance led from the top, CSPs can ensure they meet their regulatory obligations and safeguard the integrity of their business.

10 key takeaways on MFSA expectations for corporate governance of Company Service Providers (CSPs):

1. The MFSA rigorously assesses the corporate governance frameworks of CSPs during authorization and ongoing supervision.
2. Approved persons must have sufficient time commitment to perform their roles effectively, which is monitored by the MFSA.
3. The principle of dual control, requiring at least two persons to direct or manage the CSP, is a core governance requirement.
4. CSPs should conduct yearly assessments of staff complement adequacy, especially when providing services ancillary to their main business.
5. Demonstrating a robust understanding of the CSP Rulebook and its principles is essential for meeting fit and proper standards.
6. The Board of Directors is responsible for instilling a strong compliance culture and ensuring adherence to regulatory requirements.
7. Detailed Board minutes, comprehensive policies and procedures, and complete regulatory registers are important components of good governance.
8. The Board retains ultimate responsibility for client onboarding decisions, which should always involve dual control.
9. Formal agreements must govern any resource sharing or outsourcing arrangements within a group.
10. CSPs are expected to be transparent and cooperative with the MFSA, promptly notifying them of changes in approved persons and responding to information requests in a timely manner.

Sources:

(i) MFSA Guidance Note on the Fulfilment of Post-Authorisation Requirements - Company Service Providers (as issued on the 4th of October 2023).

(ii) MFSA's The Nature and Art of financial supervision - Volume X (Trustees and Company Service Providers Supervision - an insight into the reform of company service providers and the authority’s expectations) - as issued on the 28/02/2024

(iii) MFSA's "Thematic Review on Governance and the Compliance Function in relation to Trustees and Company Service Providers" - issued on the 1st of April 2024.