Outcome of Thematic Review Carried Out by MFSA in Respect of Trustees and Other Fiduciaries Author: Anthony Cremona Published on February 4, 2016 The purpose of the exercise was to enable the MFSA to verify the extent to which the entities the MFSA targeted for participation in the exercise have proper governance structures in place, with a view towards publishing the findings in order to encourage authorised persons to take any corrective action that may be necessary. The TRQ had 3 main focuses: the company’s organisational structure, its business plan, staff related matters, record keeping, business continuity and outsourcing; the board of directors, its composition, board meetings and communication between the board members; the operations of the company. Following receipt of the responses to the TRQ, the CSU within the MFSA performed a desk-based review of the findings, including the key areas of operation and an assessment of the internal controls in place. The information was analysed from two dimensions: regulatory and best practice. Based on the outcome of the desk-based review, the CSU then conducted a number of onsite compliance visits with authorised trustees and other fiduciaries in the course of 2015. The MFSA published the main findings of this exercise in a circular sent out to authorised trustees on the 30 December, 2015. In summary the MFSA’s findings reveal that: Business Plan: “most authorised persons do not have a formal business strategy and/or strategic plan” (including the levels and types of business to be accepted), with the result, according to the MFSA that “in the absence of such strategy it is not possible for entities to monitor the performance against a devised and approved business strategy.” Directors: the MFSA’s findings revealed that most Board of Directors’ meetings are held “informally and infrequently, whereby minutes of discussions held are not duly minuted”. The MFSA urge trustees to ensure that Board meetings are held in line with the requirements of the Companies Act (Cap.386), and that they indicate that at least 2 directors are actually involved in the decision-making process. The analysis also revealed that “in most cases” of the surveyed trustees, no formal agenda or board papers are prepared, which should be provided in good time so as to enable directors to participate actively and be able to take informed decisions. The MFSA also remarked that “it appears that some board members have multiple involvements both in regulated and unregulated companies” and added that “when accepting the position of director, the person nominated must ensure that he has sufficient time to dedicate to such a role.” The MFSA also warned that the MFSA “expects that all directors are aware of the affairs of the authorised entity and they are able to adequately deal with any issues that might arise.” In effect, this is a known concern for the MFSA which regularly also raises issues of perceived ‘conflict of interest’ during trustee authorisation application vetting processes, whenever an applicant picks experiences non-executive directors (NED’s) that may already be involved, either as directors, or in some other capacity, with other trustee companies (even if the latter operate in a totally different market). Indeed, in section 4 of their Circular, the MFSA noted this reality and observed that, “this could give rise to potential conflicts of interest. The thematic review findings indicate that authorised persons understand that any potential or actual conflicts of interest should be disclosed. However it appears that the majority of authorised persons do not have a formal policy in place which deals with the identification, disclosure, management and mitigation of any conflicts that might arise.” The MFSA actually emphasised that “due to the onerous fiduciary obligations of trustees, the Authority expects authorised persons to have in place such a formal conflicts of interest policy.” The reality is that with a small jurisdiction Malta’s, should a hard-line approach be taken against perceived conflicts of interests, the result could make it very difficult for Malta-based NED’s to be found, without having to resort to ‘poaching’ or ‘head-hunting’, if a prospective trustee were to be expected by the MFSA to have to engage only NED’s that are not somehow involved in other authorised entities, or even worse, that are not involved in other directorships. It is actually very positive that the MFSA has taken the position that possible conflicts are not prohibited, but need to be managed, and the suggestion of having a formal conflicts of interest policy in place is positive (albeit, perhaps, somewhat complicated to flesh out in practice). Risk Assessment: The MFSA’s analysis revealed that “risk assessment is not properly undertaken by most authorised persons” reviewed. The MFSA warned that it expects all authorised persons “to identify their key operational risk areas. Such exercise is expected to include details of the risk tolerance limits which the entity is authorised to take and measures as to possible ways to mitigate operational risks.” The MFSA also expressed concern about the authorised persons’ perception of risk, remarking that while most of the entities surveyed indicated that they have a low risk appetite, they still accepted clients from high risk jurisdictions. Professional Indemnity Insurance: despite the deadline to have PII in place by 25th October, 2014 (following Act XI of 2014 published on 25th April, 2014), the MFSA remarked that not all authorised trustees took out PII within the transitory period. Staff: MFSA urged authorised persons that employ staff to ensure there are “formal procedures in place with clear reporting lines which should be made known to employees.” The MFSA also remarked that staff training, including training of directors, appears to be either limited or inadequate and urged authorised persons to have a yearly training program in place with training specific to trusts and fiduciary obligations. Record Keeping: retention of documentation: the MFSA highlighted the importance of having electronic copies of records in order to counter the risk of inaccessibility to documents in the event that the premises from where the trustee is conducting its operations become inaccessible. The MFSA remarked that it expects all trustees to keep electronic copies of all relevant documents applicable to their fiduciary duties. The MFSA also recommended that electronic copies should be regularly backed up, “with back-ups kept off-site in a secure place.” The MFSA also tackled the situation of authorised persons forming part of a group of companies and operate from the same premises, emphasising the importance that the authorised person ensures that “confidentiality is safeguarded at all times and client records are only accessible to authorised staff members.” With regard to clients with whom the authorised person will have lost contact, albeit not formally having terminated the fiduciary relationship, the MFSA remarked that it expects authorised persons to “ensure that all possible venues [sic: avenues] of communication are utilised and proper records are retained that indicate the attempts that have been made to try and re-establish contact.” This actually highlights a very important fiduciary obligation of trustees (and other fiduciaries) who, in situations where contact is lost with the relevant persons, typically tend to focus more on their own position (and safeguarding their interests), with a view to somehow exiting the relationship, than on safeguarding the beneficiaries’ interests. Although a fiduciary clearly does have a right to resign, the fiduciary should always remain mindful of its obligations to the beneficiaries, especially in a trust context, and as the MFSA point out, it should be in a position to show that it has done everything within its power to contact the relevant persons. Abdicating one’s duties is not an option, not even in circumstances where contact is lost. Record Keeping – clients’ lists: the MFSA stated that it expects authorised persons to hold proper clients’ lists that are kept up-to-date and readily available upon request. Business Continuity Plan: The MFSA expressed concern that BCP’s are not always formalised by the authorised persons, which it described as a breach of the rules applicable to trustees and other fiduciaries. The MFSA also remarked that from the BCP’s that were in place that were reviewed, these seemed to focus only on the recovery of the IT system rather than also on other relevant aspects such as succession planning. The MFSA also urged authorised persons to test BCP’s on a regular basis, and stated that it expects records of these tests to be retained. Outsourcing: The MFSA emphasised the importance of ensuring that a written outsourcing agreement is in place whenever functions are delegated to third parties, even when the third party forms part of the same group of companies. According to the MFSA the agreement should specify the services to be provided, accessibility to information and records as well as confidentiality obligations. To this one can also add the importance of setting out in the outsourcing agreement the precise parameters of the services being outsourced and the indication of any yardsticks by which the service being provided can be assessed. Other issues: the MFSA urged authorised persons to carry out bank reconciliations on a regular basis, with such reconciliations being duly signed and dated, and complying with the 4-eyes principle. The MFSA also urged reconciliations of underlying assets (including, but not limited to, shares held in companies) to be carried out on a regular basis. Concern was expressed about structures involving what the MFSA perceived as ‘layering’ (which one assumes does not refer to the money laundering process of ‘layering’ but to the existence of multiple layers in a structure. While not indicating whether this remark applied to structures in which the authorised persons were acting as fiduciary mandataries rather than trustees, the MFSA expressed concern at the fact that authorised persons tended to rely more on advice received from third parties as to the reason for the layering than on a proper examination thereof. The MFSA also emphasised the importance of the 4-eyes principle in the administration of an authorised trustee company or fiduciary, remarking that from the compliance visits carried out it was evident that for “a number of authorised trustees” not all directors appeared to be aware of the company’s activities, preferring instead to refer the MFSA to those directors that were involved in the day-to-day administration of the company’s business. The MFSA also emphasised that the 4-eyes principle requires there to be at least two independent minds in the formulation and implementation of the policies of the undertaking. In conclusion the MFSA indicated its intention to continue the thematic review in 2016, as well as its onsite compliance visits that will also focus on governance issues. Authorised persons were invited to contact the CSU for any clarifications they may require with respect to the findings. The full text of the circular can be viewed here. The Circular can definitely serve as a useful insight for trustees (and other fiduciaries) as to the manner in which the MFSA is interpreting the authorised person’s obligations) and what the MFSA expects to see in place when conducting an onsite compliance visit. Go back