securities & markets supervision unit · mfsa malta financial services authority i 5 october...
TRANSCRIPT
MFSAMALTA FINANCIAL SERVICES AUTHORITY
I 5 October 2015 Securities & MarketsSupervision Unit
To: Collective Investment Schemes and Fund Managers Inc Tel: (+356) 21441155flI[ Fax: (+356) 21449308
Attn. The Directors and Compliance Officer
Dear Sir/Madam.
Re: Thematic Review on compliance with the requirements on Governance,
Compliance and Risk Management
During 2014 and 2015, the Securities and Markets Supervision Unit conducted 21 thematicreviews on governance, compliance and risk management through focused visits at the
offices of a number of collective investment schemes (“CISs”) and Fund Managers. A
broad range of licence holders varying in size, type and business model were selected in
order to obtain a representative picture of the whole sector. The Authority carried out other
onsite visits at other types of financial services entities, such as investment services
providers. A separate communication will be issued in due course identifying the findings
of these other inspections.
The visits were designed to verify the extent to which the selected licence holders have
proper governance, compliance and risk management procedures in place and the extent to
which these are being complied with and applied in practice. In the case of lund managers
which qualify as full scope Altemative Investment Fund Manager’ rAIFM”) pursuant to
Directive 201 1/61/EU the objectives of the onsite inspections also included a review of
compliance with the requirements on remuneration, delegation and valuation obligations.
The purpose of this letter is to inform the industry about the common findings of these 21
onsite visits in order to encourage licence holders to take corrective action and avoid the
common pitfalls in relation to lack of observance of regulatory and compliance standards.
In this regard, you are encouraged to consider carefully the key findings set out below and
undertake an assessment of your company’s compliance levels vis a vis these findings,
making sure that any remedial action is taken in a timely manner, whilst taking into
consideration the propor ionality of the business.
This letter consists of three sections:- ScctioriA outlines the findings which were Found common both in CISs as well as
fund managers:- Section B details the Findings identified during visits at CISs: and
- Section C is mostly applicable to fund managers.-
K
Notabile Road. Attard BKR 3000. MALTA. /Te1:(+356 2144 1155 Fax:(±356) 2144 88 Wehsite: wwwrnfsacomnZ
PF-’
vfl Jj
MACrA FINANCiAL SERVICES AUTHORITY
Section A - Common Findins/ Recommendations
I.
1.1 Conflict of Interest — Policy, Register & Disclosures
A common finding identified during the onsite visits at both CISs and Fund Managers was
related to the establishment and maintenance of the conflict of interest policy and the
conflict of interest register, as well as the reporting obligations of potential or actual
conflict of interest. These findings are summarised as follows:
- A number of licence holders failed to implement the necessary organisational and
administrative arrangements designed to prevent conflict of interest as required by
the applicable standard licencing conditions in the relevant MFSA rulebooks. The
requirement may be complied with by, inter aba, ensuring independence between
the Board members of CISs and those of the Fund Managers, the maintenance of
conflict of interest policy and! or contlict of interest register. The conflict of interest
register serves as a central log to record any potential or actual conflict of interest
identified for ease of reference, more accurate record keeping and easy retrieval in
case of need.
- Some directors failed to declare conflicts of interest during Board Meetings.
- All procedures and policies making reference to conflict of interest should be
collated into one policy! procedure for ease of reference.
- In other cases although the licence holders did establish a conflict of interest policy.
they failed to review the policy on a periodic basis, at least annually. The conflict
of interest policy should he approved by the Board of Directors. The reviewing
i’requency and the approving body of the conflict of interest policy should be
clearly indicated in such document.
- Although in some cases a conflict of interest register was created, this was: not
populated with potential. actual or declared conflict of interest, although the licence
holders were actually aware of such conflicts.
- The Authority recommends that a standard agenda item is included in the agenda of
Board meetings. i.e. declaration of conflict of interesC.
- In some instances the licence holders were not adhering to the conflict of interest
procedures outlined in their compliance manuals, conflict of interest polices or
constitutional documents.
1.2 Board of Directors Meetings Proceedings
During the visits MFSA Officials reviewed the licence holders’ Board packs and minutes.
The main deficiencies noted were as follows:
:42
MFSAMALTA FINANCIAL SERVICES AUTHORITY
- Board of Directors’ meetings were not held regularly. A number of licence holders
failed to hold regular Board meetings on at least on a quarterly basis, in line with
guidance 7.2 of the MFSAs Corporate Governance Manual for Directors of
Investment Companies & Collective Investment Schemes (‘Ike MFSA Governance
Manual”).- Board minutes failed to record discussions on the licence holders’ tinancial
position. any compliance issues or breaches of the standard licencing conditions.
- Board minutes did not adequately provide an audit trail of unresolved issues or
pending matters. Board Minutes should clearly document the person responsible for
the relevant action point and how such action points are implemented as recorded.
- Information Board packs were not presented at Board meetings as recommended in
guidance 8 of the MFSA Governance Manual.
2. Compliance
2.1 Breaches register & Breaches reporting
During [he visits MFSA Officials reviewed the breaches registers maintained by the
relevant licence holders. The below is a list of all the findings identified:
- Inadvertent breaches to the investment restrictions were not included in the
breaches register. Particularly in the case of Fund Managers. the breaches register
should include all breaches, irrespectively whether the breaches are in relation to
the standard licence conditions or breaches of internal limits. Fund managers are
recommended to maintain separate breaches logs; one which records their own
breaches, and a separate register which logs the breaches of the funds under
management (to the extent that breaches relate to investment management activity).
It is advisable to record contraventions arising from changes in market conditions
under a separate section of the breaches register of CISs.
- The material findings! recommendations included in the MFSA’s post-visit reports
are to be included in the breaches register.
- In sonic instance the breaches registers failed to include [he following details: i)
occurrence date: ui discovery date: iii) identified by and reported to; iv) the
classification of the breach and summary of the discussion with the Board of
Directors; v) whether the MFSA was notified of the breach (as applicable); vu
whether the Custodian! Depositary was notified of the breach(as applicable); vii)
details of the remedial action taken to rectify the breach as well as the action
implement to improve internal controls: viii) the extent of the investment
overexposure; and ix) status of breach.
- In other instances licence holders failed to identify, record and report breaches as
required. as follows: H the breaches register: ii) the compliance reports prepared by
the Compliance Officer: or iii) to the Authority. Licence holders are also epec9
3
Mi SAMALTA FiNANCIAL SERVICES AUTHORITY
to inform investors of any breaches committed and as a minimum a reference
should be made in the audited financial statements.
- The Compliance Manual of particular licence holders needed to be revised in order
to include the breaches procedure.
3. Disclosure & Transparency
Some licence holders were required to amend the Key Investor Information Document
(“KIID”) and ensure that all required information is properly and accurately docunwnted,
including the details of fund performance.
One particular licence holder made use of a website which marketed a wide range of
services which are more than the limited range of services which the entity is authorised to
provide. Licence holders are reminded to ensure that a fair, clear and transparent
representation of the services offered is provided at all times, including on websites.
Communication with actual or potential clients andlor investors should also be clearly
understandable and comprehensive to users enabling them to understand the nature and
risks of the investment services provided.
4. Procedures Manuals and Polices
During the visits MFSA Officials reviewed various agreements. manuals and policies
produced by the licence holders, including operational procedures. compliance. AML
manuals and other policy documents. The most common findings with respect to such
documents are the following:
- Procedures arid policies were not dated.
- The name of the individual(s) signing the agreements, manual and/or policies was
not specified.
- Procedures and policies were not approved by the Board of Directors,
- Compliance manuals made reference to the rules of another jurisdiction rather to
the relevant MFSA rulehooks.
- No audit trail was kept illustrating the changes made to the licence holders’
procedures and policies.
- Sonic procedures manuals were merely a replication of the applicable MFSA
rulebooks and/or were not tailored to reflect the specific needs and obligations of
the licence holders.
4
MFSAMALTA FINANCIAL SERVICES AuTHoRITY
Section B — CISs’ Key Findings! Recommendations
The following findings/ recommendations were identified during the onsite visits at CISs:
1. Compliance
1.1 Due diligence, Monitoring and Reliance on Service Providers
The majority of the CTSs inspected placed significant reliance on the internal control
processes and procedures of their service providers. i.e. the investment manager. the
administrator and the custodian (where applicable). Fur hermore, it was noted that the CISs
do not perform due diligence and monitoring on their service providers because they rely
on the fact that they have constant communication with them. It was also noted that the
ClSs have added comfort given that their service providers are reputable and renowned.
Moreover, in most of the cases the CISs do not check whether the Business Continuity
Policy (“BCP”) and Disaster Recovery Plan (“DRP”) of each of’ their respective service
providers are periodically updated. particularly those of the administrator, investment
manager and custodian, because they rely on the fact that these service provider are
regulated in reputable jurisdictions.
In other cases the CISs advised that they perform due diligence checks and monitoring on
their service providers on an ongoing basis: however such checks are not documented on
an ongoing basis.
It is rccommended that CISs conduct due diligence and onsite ongoing monitoring on their
service providers from time to time, which monitoring should be ibrmalised, properly
documented and presented to the Board of Directors. Written confirmations that main
service providers are actually updating and testing their BCP and DRP on a periodic basis
should be obtained.
1.2 Appointment of Compliance Officer and MLR()
In one particular instance, the appointed Compliance Officer of a CIS was not present
during the compliance visit and noted that the compliance duties were being carried out by
a different person. ‘lthough the compliance reports were signed off by the Compliance
Officer, In such circumstances, the MFSA expects the approved Compliance Officer to be
the person responsible for carrying out the compliance function, including the attendance at
Board meetings in order to keep abreast with the business being discussed, as well as to
present compliance findings to the Board. If the Compliance Officer intends obtaining
additional support, the arrangement should be approved by the MFSA.2
V
MFSAMALTA FINANCIAL SERViCES AuTH0RrTY
1.3 Compliance Reports
During the visits MFSA Officials reviewed the six monthly compliance reports prepared
and presented by the Compliance Officers to the Board of Directors. The following are the
most common issues arising from the review of these reports:
- Compliance reports failed to include a confirmation that all the local Prevention of
Money Liundering requirements have been satisfied.
- Although complaints received from unit holders of CISs were recorded in the
complaints register. these were not reported in the compliance reports. The
compliance reports should also indicate the manner in which the complaints were
handled.- Some compliance reports did not include the breaches of the investment restrictions
or standard licencing conditions.
- Some compliance reports were not signed by the compliance officers.
2. Governance
2.1 Shareholders meetings proceedings
During the visits MFSA Officials reviewed the agenda and minutes of shareholders annual
general meetings, as well as extraordinary meetings. Some of the CISs failed to convene
annual general meetings as required in terms of Article 128 of the Companies Act, 1995
and also in accordance with the respective clauses of their Articles of Association.
2.2 Record keeping and safekeeping of assets
In particular instances. CISs failed to produce accounting and other records, such as
evidence of ownership of certain investments as required in terms of SLC 4.14 of Appendix
Ito Part BlI of the Investment Services Rules for Professional Investor Funds.
2.3 High Total Expense Ratio
Another specific finding relating to CISs was the high Total Expense Ratio r’TER”) of
particular schemes or sub-funds. Significantly high TER makes the continued existence of
schemes and/or sub-funds no longer viable and such situation is definitely not in the best
interest of investors to remain invested in such schemes and/or sub-funds. In such
circumstances the CISs were strongly urged to discuss this situation at Board level and in
the absence of short term possible developments, consider the feasibility of the CISs as a
going concern. In this regard. additional financial strain caused by significant payments to
service providers should be a factor that needs to he given due consideration.
6
FSAMALTA FINANCIAL SERVICES AUTHORITY
3. Reporting from service providers
It is good governance practice for CISs to present information packs at Board meetings. As
indicated in Section 8 of the MFSA Governance Manual. information packs generally
include a) investment management reports: b) administrator reports: c) custodian reports
(where applicable): d) auditor report (where applicable): and e) any other documents as
requested by the Board such as risk management reports. In this respect. a number of CISs
failed to present any of these reports on periodic basis. Sections 9. 10. Il and 12 of the
MFSA Governance Manual indicate the genenc contents of such reports. It is also good
practice that service providers reports are adequately endorsed for a sufficient audit trail.
Section C — Fund Managers’ Key Findings
The following findings! recommendations were identified during the onsite inspections at
fund managers. i.e. UCITS management companies. deniinimis AIFMs and full AIFMs:
1. Governance
1.1 Substance
Most IC meetings should (to the greatest extent possible) be physically held in Malta in
order to ensure that management and control of their entities are effectively being
undertaken in Malta. Investment decisions and other commercial decisions are to he made
in Malta and records are to be maintained at the registered! operational office in Malta, to
the greatest extent possible. It is essential that operational set up arrangements approved by
the Authority at licensing stage are adhered to and if there are any changes these are
submitted to the Authority for approval. Moreover, it is also important that post licencing
conditions arc adhered to, whilst the applicability of any derogation should be reviewed by
the licence holders from time to time and at least on an annual basis.
1.2 Independence between the Manager and the Scheme
In certain cases it was noted that the Fund Managers were exerting undue pressure on the
Board of the CISs, limiting the independence of the Board of the CIS in its decision-
making process. Although the input of the Fund Manager is a key factor to the decision
making process of the Board of Directors of the CISs, the independence of such Board of
Directors should always be respected.
1.3 Investment Committee “JC”) Proceedings
During the visits MESA Officials reviewed the documentation related to IC proceedings.
such as IC agendas. IC minutes and IC packs. The main deficiencies noted were as follows:
A
MFSAMALTA FiNANCIAL SERVICES AUTHORITY
- IC meetings were not held on a quarterly basis as stipulated in the respective Terms
of Reference of the same committee.
- IC minutes failed to evidence the review of the performance of the CISs under
management.
- Supporting documentation and written analysis were not provided to IC Members
for their consideration.
- In some cases the discussions related to the investment management strategy
decisions were documented in the Board minutes rather than in separate IC
minutes. IC meetings should be held separately and prior to Board meetings.
Some ICs failed to determine strategic bands and other limits as may ordinarily be
required for the purpose of determining asset allocation and compliance with the
investment restrictions of the funds under management.
1.4 Training logs
Not all licence holders maintained training logs which document in an adequate manner the
training received by the officials and staff members. Directors and other officials of licence
holders are expected to keep abreast with regulatory developments.
1.5 Professional Indemnity Insurance
Some Fund Managers were recommended or required to take out and maintain a
professional indemnity insurance policy in terms of the applicable rules in the relevant
Pans of the Investment Services Rules for ISLHs.
2. Investment Management
2.1 Investment Process
During compliance visits the Fund Managers provided the MFSA Officials with a
walkthrough of the investment process. MFSA Officials also performed a limited review of
the policies and procedures related to the investment process. The following are sonic
deficiencies identified during these reviews:
A number of Fund Managers failed to document their investment process in a
formal procedure! policy. An investment policy should specify the procedure
adopted throughout the investment process. including but not limited to. pre- and
post- trade checking as well as the monitoring of investment policies and
restrictions.
- Sonic Fund Managers failed to implement a portfolio management tool with the
required controls to be used during the pre-trade checking and ongoing monitoring
of the investment restrictions.7
S
MFSAMALTA FINANCIAL SERVICES AUTHORITY
- In specific instances it was noted that tactical investment decisions were not being
duly recorded.- There were cases where staff members within the Fund Managers were granted
trading limits which authorised them to place orders. However, it was noted that
these trading limits were either not documented in the licence holders’ investment
procedures! policy, or not periodically reviewed (at least on art annual basis).
- A brief report! entry is to be raised as at end of each day listing the trades! orders
raised during the day and to include a brief note justifying each trade. This report!
entry should be signed off by another, preferably, senior official for dual control
purposes. The dual control! authorisation procedures should be implemented
throughout the entire investment process, particularly during the placement of
orders.- In some cases the checklists used by the Fund Managers during the investment
restrictions monitoring failed to capture all investment restrictions, including any
borrowing limits, applicable to the specific type of scheme being managed.
- Segregation of the investment management function from the back office and
middle office operations is essential to ensure effective Chinese walls.
- In one particular case, it was noted that the investment management policies and
procedures failed to ensure that investment restrictions are effectively monitored
and complied with.
2.2 Best Execution Policy & Order Allocation Policy
Some Fund Managers did not have in place adequate best execution policies and order
allocation policies as required by the applicable MFSA rulebooks. In fact in particular
instances the best execution policy failed to identify the entities with which orders may be
placed in respect of each class of instruments. Furthermore, certain Fund Managers
implemented an order allocation policy which did not provide sufficiently precise terms for
the fair allocation of aggregated orders. Some order allocation policies failed to indicate
how the volume and price of orders determine allocations and the treatment of partial
executions.
3. Business Continuity and Disaster Recovery
During the visits MFSA Officials reviewed the business continuity policy! plan (“BCP”)
and disaster recovery plan (“DRP”) of Fund Managers to assess the contingency
procedures in place which address events of an unexpected event or disaster. The main
deficiencies are noted below:
- In several cases Fund Managers failed to test their BCP and DRP. Others did not
document in an adequate and accurate manner such tests. Testing of both BCP and
DRP and review of these policies should be done periodically, preferably on an
annual basis.
MFSAMALTA FINANCIAL SERVICES AUTHOR [TY
- In cases where DRP testing is outsourced to third parties, the licence holder should
monitor the testing by obtaining confirmations that any issues arising from thistesting have been addressed.
- Several licence holders failed to make a distinction between business continuity
and disaster recovery.- In one particular instance, a licence holder indicated in its BCP that operations
would be relocated to the entity’s overseas branches. Licence Holders are required
to obtain the necessary authorisation in order to be able to operate in overseas
branches, even in the case of contingency.- BCP and DRP should be approved by the Board of Directors.- Fund Managers were recommended to revise their BCPs to include the three basic
components of a good BCP as indicated in the Guidance Notes to the InvestmentServices Rules for Investment Service Providers in order to ensure that their BCPreflects the minimum requirements.
- Other Fund Managers were required to refrain from specifying in any of theirdocuments sensitive information which may pose risk from an information securityperspective as specified in the relevant provisions of the MFSA rulehooks withrespect to the safeguarding of the integrity of information.
- It is important that data is backed up and mirrored in a contingency site which canbe easily accessed in a contingency event.
4. Compliance
During the visits MFSA Officials also reviewed compliance manuals, breaches registers,compliance monitoring reports and documentation related to due diligence and ongoingmonitoring on counterparties. The following are the main deficiencies identified in thisarea:
In several cases AIFMs failed to formally document the due diligence and ongoingmonitoring performed on the prime brokers and/or counterparties. In terms of SLC3.12 of Part Bill of the Investment Services Rules for Investment Services LicenceHolders (“ISLHs”), an AIFM “shall exercise due skill, care and diligence in the
selection and appointment of prime brokers with whom a contract is to he
concluded”.
Some Fund Managers failed to adopt and effectively implement a compliancemonitoring programme which assesses the compliance risks and tests the controlsin place to mitigate the identified risks.In other instances Fund Managers were requested to adopt a more holistic approachin implementing the compliance monitoring programme in order to include also therisks of non-compliance and alignment to AIFMD besides the monitoring of thepersonal dealing register, gifts register and quarterly monitoring of the delegatedfunction.
10
MFSAMALTA FINANCIAL SERVICES AUTHORITY
- It is recommended that Fund Managers carry out, at least on an annual basis, a
compliance risk assessment which evaluates the probability, impact and risk of
various risks, as the basis of the compliance monitoring programme.
- Compliance monitoring reports should be produced and presented by the
Compliance Officer to the Board of Directors, on a periodic basis (at least every six
months), specifying any material findings emanating from the compliance
monitoring checks. These reports should set a deadline by when such findings are
to be resolved and the Board of Directors is to ensure that the resolution of such
findings is actually implemented.
5. Remuneration
One of the main areas addressed during compliance visits at Fund Managers, particularly at
AIFMs was remuneration. MFSA Officials assessed various documents related to the
different remuneration obligations applicable to the different type of Fund Managers, such
as the remuneration policy and remuneration committee terms of reference. The main
findings are outlined below:
- Some AIFMs did not have in place a formal staff appraisal process which
documented in a transparent manner the criteria used in determining the staff’svariable remuneration. as required in terms of SLC 12.02.3 of Appendix 12 to Part
BIll of the Investment Services Rules for ISLHs.
- In some cases the A1FMs distributed the remuneration policy “only” to Identified
Staff and not to all staff members as required in line with SLC 12.02.1 of Appendix
12 to Part Bill of the Investment Services Rules for ISLHs.
- A number of Fund Managers were requested to amend their remuneration policies
following the identification of particular inconsistencies in these documents, mainly
related to the criterion adopted in the deferral process, as well as the performancerelated remuneration structure.
- The remuneration policy of particular A1FMs failed to state the person responsible
for overseeing the remuneration of the senior staff responsible for heading the
control functions.- Some AIFMs did not indicate in the remuneration policy the supervisory bodies
that approve and maintain such policy. The remuneration policy should also
indicate the frequency of reviewing, which should at least be held on an annual
basis.- AIFMs were also recommended to involve the person responsible for risk
management in the assessment of how the variable remuneration structure affects
the risk profile of the Fund Manager. It is good practice for the risk managementfunction to validate and assess risk adjustment data.
- Some remuneration policies were not in line with the AIFMD requirements,notwithstanding the fact that the relevant AIFMs had resolved that they had
“implemented a Remz.,neration Policy which is in line with the requirements
_____MFSA
MALTA FINANCIAL SERVICES AUTHoRiTY
stipulated in Annex II of the AJEM Directive”. Moreover, some remuneration
policies failed to specify the criteria for determining: a) the variable remunerationallocation; b) how balance between variable and fixed remuneration is achieved;
and c) how risk taking can be mitigated.
6. Delegation! Outsourcing
Another area covered during onsite inspections at Fund Managers was the delegation!outsourcing obligations. MFSA Officials went through delegation’ outsourcing agreements,
as well as documentation related to the monitoring performed on the delegated functions.The most common findings related to this topic are as follows:
- Certain delegation! outsourcing agreements did not specify the remuneration to bepaid to the delegated function for the services received by the Fund Managers.In some cases Fund Managers did not conduct ongoing monitoring on theirdelegated functions, with most of the time the reason being the fact that thedelegated function and the licence holder form part of the same group. FundManagers, particularly AIFMs are expected to refer to Section 4 of Part Bill of theInvestment Services Rules for ISLHs in relation to outsourcing and sub-delegation.
- Notwithstanding that AIFMs and the delegated functions may form part of the samegroup Fund Managers are recommended to conduct ongoing monitoring on thedelegated function in a formalised and documented manner and at least on anannual basis. These reports should be signed by the Compliance Officer andpresented to the Board of Directors.
7. Risk Management and Liquidity Management
During the review of the different risk management related documentation together withthe interviews held with the appointed person responsible for risk management, thefollowing deficiencies were noted:
— The appointed person responsible for risk management reported to the InvestmentCommittee. AIFMs must ensure complete segregation and independence betweenrisk and investment management, in accordance with SLC 2.04 of Part Bill of theInvestment Services Rules for ISLHs.
- All risks (including currency risk) should be documented, monitored and managedby the risk management function.
- It is good practice that Fund Managers, besides assessing investment related riskthey also formally conduct a proprietary risk assessment of the general risks of thebusiness, such as operational risks, so as to capture the various levels of risks of thebusiness.
- In contrast to the requirement of SLC 1.180) of Part Bill of the InvestmentServices Rules for ISLHs, not all risk managers were granted full approval by the
__
MFSAMALTA FINANCIAL SERVICES AUTHORITY
MFSA to perform risk management duties and present risk reports to the Board of
Directors at the time of the onsite inspections.
- Other Fund Managers did not inform the MFSA that the identified person
responsible for the risk management function had changed. It is advisable that
where a risk manager is not appointed, as permitted by the relevant MFSA
rulebooks. a member of the Board of’ Directors oversees the risk management of the
licence holder.- Not all risk reports were signed by the risk manager andlor indicated the authors’
name or to whom the reports were addressed. Risk reports should he produced by
the risk manager and presented to the Board of Directors.
- Sonic Fund Managers failed to record pre-deal communication exchanged between
the risk management function and the portfolio management function. Fund
Managers are required to keep documented evidence of any pre-deal checks
conducted by the risk manager to assess the eligibility of assets and compliance
with the investment restrictions, as well as pre-trade due diligence checks on
potential investments.- Where possible, subject to proportionality, and unless it is required by the
applicable MFSA rulebook, Fund Managers should ensure that Chinese walls are in
place between the portfolio management and risk management functions.
8. Internal Audit
In the majority of the cases the Fund Managers were granted derogation from establishing
an internal audit function in view of their size. nature and proportionality. Nevertheless the
Fund Managers are advised to revisit the implementation of this third line of defenceshould the Fund Manager’s assets under management grow in size. It is essential that when
Fund Managers opt not 10 establish an internal audit function. they specifically request such
derogation in writing derogation for the Authority’s consideration and approval.
In some cases where Fund Managers have an internal audit function it was noted that action
points from the previous internal audits were not being documented as completed or
followed up.
One particular Fund Manager failed to conduct a formal internal audit review although it
has established an internal audit function. In accordance with SLC 2.24 of Part BlI of the
Investment Services Rules for ISLHs, an audit plan should be raised, at least on an annualbasis, and an internal audit exercise should he conducted on the basis of this plan.
9. Valuation
Some Fund Managers did not have in place a valuation policy and procedures which cover
all material aspects of the valuation process and valuation procedure and controls as
__
MFSAMALTA FINANCIAL SERVICES AUTHORITY
required by SLC 2.10 and SLC 2.17 Part 811 and Part BITT of the Investment Services
Rules for ISLHs, respectively. In several cases the valuation policy did not:
- Indicate the secondary pricing sources for all instruments (to the extent possible).
- State the tolerance thresholds on the difference between the primary and the
secondary sources.- Include provisions related to the treatment of stale prices. illiquid and hard-to-value
assets.
10. Cyber Security
Whilst the issues of cyber security within the fund industry has not been so Car tackled and
tested during onsite compliance visits, we would like to take this opportunity to alert Fund
Managers on the need to assess the management of cyher security within their operational
risk framework. It is extremely important that licence holders ensure that confidential data
and intellectual property are duly protected by security processes and policies at all times.
It is recommended that such processes and policies are reviewed at Board of Directors level
and that staff members are informed of the relevant risks and actions that are required. The
Authority will be looking at this aspect of operations in future compliance visits.
Conclusion
We trust that the guiding principles outlined in this letter will help those CISs and Fund
Managers. which have not yet been visited, to identify common pitfalls that we have seen
in recent visits and to take the appropriate actions.
We remain committed to continue helping you in accomplishing your plans for adherence
to compliance and regulatory standards.
Should you have any queries regarding the above, please do not hesitate to contact: the MrJoseph J. Agius [[email protected]; Ms Jeanelle Newell [email protected]; or theundersigned.
Di
14