Building a Culture of Compliance
Malta Financial Services Authority underlines necessity of an effective governance framework for company service providers in Malta
In a governance note published on 9th March 2021 the MFSA has emphasised that the creation of a sound compliance culture should be the foundation upon which Company Service Providers (CSPs) build their structures.
Compliance as a top-down exercise
At Board of Directors’ level, MFSA stipulates, that this has to translate into practicing a culture of compliance and determining the means with which to embed this culture at all levels of an organisation, setting the tone from the top. On an ongoing basis Boards are responsible to effectively monitor the development of this culture.
Other than complying with relevant local and international regulations, CSPs are expected to have in place:
- tailor-made policies and procedures to support the implementation of the Board’s expectations, and clear reporting lines; and
- competent senior management to oversee the operation of control structures as well as staff trained in relation to the CSPs’ procedures to be able to apply them in practice.
Three lines of defence
Furthermore, the MFSA requires that CSPs should also have a “three lines of defence” model appropriate to their business profile. The standard three lines of defence model can be summarised as follows:
- 1. The first line of defence being those officers and employees who have a direct interface with clients and carry out CSP activities,
- 2. The second line of defence being the monitoring and oversight functions of the Compliance and the AML/CFT functions and,
- 3. The third line of defence entrusted with assessing the internal controls and the monitoring in place. In larger organisations this has generally to be performed by an internal audit function. Whereas in smaller entities when due to nature, scale and complexity of the business, a separate internal audit function is not proportional, an effective Compliance function becomes even more critical to the organisation.
Accountability and transparency
CSPs are expected to have documented policies and procedures in place identifying who is responsible for what. Accurate board minutes have to be maintained as well as records of any complaints and breaches of laws and regulations.
Client agreements detailing the services offered to clients including fee structures, signed by the CSP’s representatives and the client are also to be maintained.
Accessibility to records and management of information is considered paramount; other than maintaining information, CSPs should be able to retrieve it as and when required, allowing for timely reporting and providing sufficient and clear information in these reports and during onsite visits performed by supervisory authorities.
To harmonise the approach on implementation of technology arrangements, ICT and security risk management as well as outsourcing arrangements the MFSA has issued a specific guidance document.