CSP Ongoing Obligations: No ‘one size fits all’ Author: Annalise Papa Published on May 3, 2021 The reform to the Company Service Provider (CSP) regime introduced on 16 March 2021 by the Company Service Providers (Amendment) Act, 2020 brought with it a revamped CSP Rulebook (Rulebook). As previously exempt CSPs continue to work towards applying for their licences by the impending 16 May 2021 deadline, they are also looking at what their obligations will be should they be granted authorisation by the Malta Financial Services Authority (MFSA). The same is being done by CSPs who were already registered with the MFSA before the reform took place and who must ensure full compliance with the amended rules by no later than 16 September 2021. As a CSP, you must look to the Rulebook as the primary document outlining the ongoing obligations you will need to comply with once authorised. Although much hope was pegged to a clear delineation of the applicability of the rules by CSP classification (see our article here as regards CSP classifications), even a quick read of the Rulebook reveals that there is no immediately apparent delineation of the kind. It is probably only possible to differentiate between classes with regard to a handful of the central obligations imposed by the Rulebook. Indeed, it is primarily the capital requirements and the insurance requirements that vary. As regards the other obligations, the MFSA has stressed that the rules are principle-based and should be adhered to in a manner that is proportionate to the size, risk and business model to which they apply. The Rulebook is peppered with references as to how the rules may be applied by CSPs who are individuals but there is no quick ‘class-by-class’ breakdown of the obligations. The following is a brief overview of a few of the main considerations relating to CSP ongoing obligations. Initial Capital Requirements and Professional Indemnity Insurance Cover The minimum capital which a CSP requires as initial capital varies depending on the CSP’s classification as a Class A, Class B or Class C CSP and whether it is over-threshold or under-threshold: a Class A CSP has an initial capital requirement of €10,000 which is reduced to €2,500 in the case of under-threshold Class A CSPs; a Class B CSP has an initial capital requirement of €15,000 and it must obtain Professional Indemnity Insurance (“PII”) cover. The initial capital requirement is reduced to €5,000 in the case of under-threshold Class B CSPs and these are not subject to an insurance requirement; a Class C CSP has an initial capital requirement of €25,000 and it must obtain PII. As regards the PII, the Rulebook indicates that the MFSA may accept adequate Directors and Officers insurance instead of, or together with, PII. Moreover, the Rulebook indicates some options that may be used by CSPs who are individuals to satisfy the ‘own funds’ requirement relating to the capital rules. Indeed, such individuals may opt to obtain a guarantee or an irrevocable letter of credit from a credit institution conforming to the conditions set out in the Rulebook in that regard. General Requirements, Governance, Management and Compliance The obligations to act ethically, demonstrate financial soundness, report changes to the MFSA and to ensure regularity and continuity of business are applicable to all CSPs. The same goes for the obligation to have reputable, skilled, experienced, committed, and knowledgeable management teams and personnel in place. Clear decision-making procedures and staff awareness of the same are crucial as is the need for the implementation of a dual control principle in CSPs which are legal entities such that they are to be effectively directed or managed by at least two individuals. A Money Laundering Reporting Officer and Compliance Officer are required although individuals are considered to also be the MLRO and may or may not be the Compliance Officer. These officers, together with other senior managers and approved persons within a CSP, need to submit personal questionnaires to the MFSA. Adequate record keeping procedures which properly cater for the security and confidentiality of information are also required, together with other policies and procedures designed to ensure adequate compliance with CSP laws. There must be regular monitoring and re-evaluation of the adequacy and effectiveness of a CSP’s systems, internal control mechanisms and arrangements put in place to comply with these obligations. An annual report on these matters is also required and must be submitted to the MFSA for review should it so request. Proper notification of changes to the MFSA is also required. Risk Management The Risk Management functions of CSPs beyond ‘classic’ ML/CFT risks is possibly the most well-known aspect of the reforms. CSPs must manage risk and are expected to take a comprehensive approach to risk management without limiting themselves to ML/CFT risks. A risk register is also to be maintained. Class C CSPs are required to establish and maintain a risk management function (Risk Officer) which independently implements the policy and procedures outlined in the Rulebook and provides reports and advice to senior management. A derogation from the requirement of having an independent risk management function is possible provided this does not give rise to conflicts of interest. In such case, the CSP would have to prove to the MFSA that having an independent risk management function with sole responsibility for risk management is not appropriate and proportionate in view of the business and the CSP services provided. If a derogation is granted, the CSP will have to prove to the MFSA that the policies and procedures adopted satisfy the requirements laid down in the Rulebook and are consistently effective. Conduct of Business and Reporting One of the novelties of the reform is the introduction of a level of conduct supervision aspect to CSPs akin to other businesses holding an MFSA ‘authorisation’. CSPs are required to have transparent reporting lines and appropriate mitigation of conflicts of interest where they may arise, coupled with clear rules on personal transactions. All of these are to be clearly catered for in appropriate policy documents. Complaint handling procedures are also required coupled with the maintenance of a ‘complaints register’. There must also be segregation of the CSP’s funds from those of their clients. Appropriate customer acceptance policies are required and customer due diligence must be undertaken before accepting new clients and client agreements need to contain the minimum requirements set out in the Rulebook. CSPs will be required to disclose their authorised status. Any outsourcing of functions must be covered by clear agreements and policies in that regard. CSPs also have reporting obligations to comply with through the submission to the MFSA of, inter alia, annual compliance certificates, annual financial returns/statements and self-declarations in the case of under-threshold CSPs. An annual supervisory fee must also be paid. Conclusions To gear your CSP business for full Rulebook compliance by the applicable deadlines, a close analysis of the Rulebook as it may apply to your particular business model is required. The obligations in the Rulebook clearly necessitate the development and periodic review of numerous policies and procedures addressing specific items and requiring specific content which needs to be tailor-made to your particular business model. Ongoing compliance also pre-suppose the setting up of a compliance calendar to ensure that, as a CSP, you are carrying out any periodic evaluations and reporting properly and as required by the Rulebook. All CSPs but in particular those who were previously exempt CSPs or who may not be familiar with what regulatory compliance entails are particularly encouraged to seek advice in this regard to facilitate compliance by their business with the applicable rules. Should you need any advice on these matters please contact Annalise Papa. Go back