In 2015, the MFSA conducted a Thematic Review Questionnaire amongst 60 authorised trust companies (‘authorised persons’), which represent approximately half of the licence holders authorised in terms of the Trusts and Trustees Act. The Questionnaire focused on the governance structure of authorised trustees and other fiduciaries to verify the extent to which selected companies have proper governance structures in place.
The following are the key findings of this thematic review:
Authorised persons should have a formal business strategy and/or strategic plan which should include the levels and types of business to be accepted for entities to be able to monitor the performance against a devised and approved business strategy.
An authorised trustee or fiduciary must have a minimum of three directors who are involved in the affairs of the authorised person and who are able to make informed decisions during Board of Directors’ meetings.
Authorised persons are expected to comply with the four-eye principle, were the Authority requires at least two independent minds be applied to both the formulation and implementation of the policies of the undertaking.
Proper minutes of board of directors’ meetings should be held in compliance with the Companies Act, which should indicate that at least two directors are involved in the decision making process. The MFSA expects that authorised persons hold regular Board of Directors meetings which are duly recorded and minuted.
Formal agenda and board papers should be prepared in preparation for the Board of Directors meetings and such documents must be provided to all directors allowing sufficient time for them to review, participate actively and be able to make informed decisions during the Board Meetings.
Entities which form larger Groups merit having properly structures Committees in place. The Board of Directors are expected to formally approve the appointment of the Committee members and the Terms of Reference relating to the operations of such Committees.
Conflicts of Interest Policy
Some board members might be involved in other authorised persons in terms of the Trusts and Trustees Act which could give rise to potential conflicts of interest. Authorised persons should have a formal policy in place which deals with the identification, disclosure, management and mitigation of any conflicts that might arise. Due to the onerous fiduciary obligations of trustees, the MFSA expects authorised persons to have in place a formal conflicts of interest policy.
Assessment of Risk
The MFSA expects all authorised persons to identify their key operational risk areas which is expected to include details of the risk tolerance limits which the entity is authorised to take and measures as to possible ways to mitigate any operational risks.
Authorised persons should also conduct a proper risk appetite assessment, devise a risk policy to reflect this and take necessary measures to mitigate risks.
Professions Indemnity Insurance (‘PII’)
Following the amendments to the Trusts and Trustees act, authorised persons are required to have in place Professional Indemnity Insurance. The MFSA expects that adequate PII cover is in place for all authorised persons without delay as it was noted that not all authorised persons had this in place.
Formal procedures with clear reporting lines are expected to be in place and made known to employees of authorised persons. Authorised persons are also expected to have a yearly training program in place which includes training specific to trusts and fiduciary obligations.
Client records are expected to be held in both paper and electronic format and in the latter case should be regularly backed up with backups kept off-site in a secure place. Where a number of authorised persons forming part of a group operate from the same premises, authorised persons must ensure that client records are only accessible to authorised staff members. Proper clients’ lists are to be kept up to date and are expected to be readily available upon request.
Business Continuity Plan (‘BCP’)
Authorised persons must have a formal BCP in place which does not focus solely on the recovery of the IT system but also extends to other critical areas such as succession planning. The BCP should be tested on a regular basis and records of these tests are expected to be retained by the authorised persons.
An outsourcing agreement is required where authorised persons delegate functions to third parties. The MFSA points out that formal agreements should be entered into with respect to any outsourced function irrespective as to who is providing the service, specifying the services to be provided, accessibility to information and confidentiality matters.
The MFSA expects that all authorised persons have in place a procedure whereby bank reconciliations of all client funds are carried out on a regular basis which should be duly signed and dated and that the process of reconciliation should comply with the four-eye principle.
All trustees and fiduciaries, excluding administrators of private foundations, must have a minimum issued and fully paid up share capital of € 15,000 which it shall maintain throughout its duration. All authorised persons are required to adhere to this requirement by the 25th April 2016.
The MFSA encourages authorised persons to take corrective action in relation to lack of observance of regulatory and compliance standards and to make sure that any remedial action is taken in a timely manner. The CSU plans on carrying out a number of focused onsite visits during 2016.