We recently published a Financial Services News Alert on the Licensing overview report 2017 (Licensing Report), published by the Financial Markets Authority (FMA). That report highlighted that the FMA granted 201 licences of various types (from 253 applications) as at 30 November 2016.

One of the key features of the licensing regime under the Financial Markets Conduct Act 2013 (FMCA) is that licensees are subject to ongoing monitoring and obligations—as the FMA states “obtaining a licence… is the first step on an applicant’s conduct journey with us.” Accordingly, for those entities granted licences, their new status will require an ongoing commitment to ensure their governance arrangements are appropriate, and to comply with obligations arising under the relevant legislation and licence conditions. For many that will raise as many challenges as applying for the licence in the first place.

This article sets out what we consider to be some of the key takeaways on governance and compliance for the directors, senior managers and compliance functions of licence holders and their advisers. It is based on:

• the FMA’s Licensing Report (available here), which contains insights into the FMA’s findings on the implementation of the licensing regime under the FMCA;

• the FMA’s A guide to the FMA’s view of conduct (Conduct Guide) (available here), which gives the FMA’s view of good conduct;

• the FMA’s Strategic Risk Outlook 2017 (SRO 2017), (available here) which describes the FMA’s views on the current and main drivers to fair, efficient and transparent financial markets;

• various discussions we have had with FMA staff over recent months; and

• our own views on good governance practice.

Our earlier news alerts setting out the core

contents of the Licensing Report and the Conduct Guide are available here and here.

While this article is aimed at FMA licensed entities, and non-bank deposit takers (NBDTs) are licensed by the Reserve Bank of New Zealand rather than the FMA, we think many of the same issues faced by entities licensed by the FMA are equally relevant to NBDTs.

Lifting the barIt is clear that in introducing a licensing regime, in many cases for the first time applicable to participants in New Zealand’s capital markets, Parliament intended to lift the bar. It is not intended that prior business practices would simply continue as before. It is highly relevant in this regard that the FMCA was, in significant part, a response to impact of the global financial crisis, both in New Zealand and internationally. It was also in part a response to the 2004 Financial Sector Assessment Programme for New Zealand undertaken by the International Monetary Fund and other international agencies, which identified the absence of licensing of market intermediaries

Governance and compliance for FMCA licensees 19 June 2017

Lloyd KavanaghChair and PartnerFinancial Services+64 9 353 9976lloyd.kavanagh@minterellison.co.nz

Samantha ZhangSolicitorFinancial Services+64 9 353 9807samantha.zhang@minterellison.co.nz

as a weakness.

The three documents referred to above (Licensing Report, Conduct Guide and SRO 2017) reflect common themes in the FMA’s thinking. In particular, while the Licensing Report primarily contains insights from the licensing process, it is also a valuable document for all existing licence holders as it clarifies the linkage between conduct and the minimum standards in the FMA’s licensing guides as well as licensees’ ongoing legal obligations. Below we draw out and expand on those themes.

Understanding of NZ law and regulatory requirements is importantThe FMA is concerned that directors and senior managers of licensees understand the new regime, and that they regularly undertake professional development to keep skills and knowledge of the new regulatory regime current, and to ensure ‘fit and proper’ standards continue to be maintained. The FMA has cited with approval those entities who have engaged external legal and other experts to regularly provide training for their directors and staff.

GovernanceThe FMA expects licensees to adopt governance models which are suitable for their particular business. Large licensees may have multiple board structures with mature governance frameworks and regular reporting to the board and to sub-committees. In contrast, smaller organisations may adopt a more simplistic and straightforward governance framework.

The governance challenges faced by large and small organisations are very different. For example:

• Larger licensees which operate with a number of sub-committees, need to manage the risk that because reports are tabled at sub-committee level so frequently, issues may not be escalated to the oversight body, or may fall through the cracks e.g. because no sub-committee had clear responsibility for that issue.

• For smaller licensees, the challenge is to adopt a formal governance framework, which is appropriate for its business, and also ensuring there is provision for independent challenge. Directors should

meet regularly to work “on” (rather than “in”) the business, outside of normal operational activity i.e. to focus on strategic issues. The FMA have made clear that a framework does not necessarily require an independent director, if independent challenge of oversight of the business is provided in another way e.g. by a business advisor, advisory board or other professional. However, the “independent challenge” process should be explicitly incorporated into the licensee’s governance calendar and be conducted for example, on quarterly or six-monthly basis.

What all licensees need to do is be able to demonstrate that there are formal arrangements in place for the board to consider how the licensee is meeting its obligations and putting customers interests first. Directors need to lead from the top, and hold management accountable to high standards of ethical behaviour throughout the organisation. The FMA have identified that there are particular risks to good governance when boards and senior management apply a “set and forget” approach, and still see room for improvement in this area.

Regardless of the size and scale of the business, a robust governance framework should include the following:

• Clear company and governing reference documents. These documents should reflect licensee requirements, including the roles and responsibilities of the oversight body, as well as include details such as how the chair is appointed and how key decisions are reached and agreed. There should also be clarity around the frequency of meetings, standing agenda items and types of reports the board and the oversight body (if different) receives.

• Regular formal board meetings to actively work on improving the business. Detailed minutes of meetings should be recorded and retained (in accordance with good basic governance practice) to give a description of the nature and focus of any discussion. In addition, formal processes to approve and authorise issuing of financial information and regulatory returns are necessary.

• The governance framework should be supported by a compliance framework

(see ‘Risk and compliance programmes’ below). The board should receive compliance reports for each reporting period on a regular, rather than exceptions or high risk basis. Reporting should include both negative reporting i.e. when things have gone wrong, as well as, importantly, positive reporting i.e. giving boards assurance that the organisation is complying with its obligations and putting customer’s interests first.

• A process or work plan for compliance assurance, so the board knows what information to expect and when. A regular programme will give the board assurance that the organisation is in compliance with its obligations at all times.

Culture and conductThe FMA recognises that culture is critical to good outcomes for investors and other customers. The FMA is clear that its role is not to prescribe culture. Rather, the FMA holds the board and senior leaders responsible to determine culture, and be accountable for it.

A focus area for the FMA’s monitoring will be how and to what extent licensees can demonstrate tangible customer-focused conduct in all aspects of their business. The FMA have made it clear that they will use conduct as a ‘lens’ for looking at how issuers and licensees behave when meeting their obligations, and for shaping how the FMA will interact with them. The FMA wants to know how a business develops good culture and to understand the specific steps taken to promote the right attitudes and behaviours across all levels of the business. Licensees need to ask themselves what “good” looks like in the context of their business culture.

Some core aspects of good culture include:

• A culture that encourages all staff to look out for, and look after, customers, including by:

• giving customers products and services which are appropriate to their needs and which they understand;

• being transparent with customers and providing them with clear and consistent information about the business and the products and services; and

• ensuring incentives arrangements align with the customers’ expectation of being treated fairly. It is important the incentives structure does not promote risky behaviours.

• A clear and common understanding across the organisation, from the top down, of desired business outcomes and how they align with customer objectives and outcomes.

• Ensuring any breaches of conduct expectations are identified and appropriately addressed, and good conduct is recognised and rewarded. Processes that encourage staff to report breaches and inappropriate behaviour also help.

A good starting point for organisations to review their conduct expectations is for the directors and senior managers to ask themselves the questions at the back of the Conduct Guide—because the FMA will likely ask the same questions.

In terms of how licensees can practically demonstrate how they are putting their customers’ interests at the forefront of their business, all too often the starting point for any decision-making is whether “legally we can do this”. Instead, boards need to move to thinking first about whether it is in their customers’ best interests, which is the standard under the new conduct regime.

In this regard, licensees should record why they consider a particular decision to be in its customers’ best interests, as well as have a stronger focus to demonstrate how systems and processes are aligned with its customers’ interests. For KiwiSaver providers, this may include taking steps to push advice processes out to their customers as well as educating them to ensure that their fund selection matches their risk profile/that they are not in a default fund.

Risk and compliance programmesThe FMA accepts that the FMCA’s design is intended to cater for many types of business models and sizes. There is no prescriptive approach to meeting the minimum standards and FMCA requirements, nor is there a “one-size-fits-all” approach. Instead, each licensee

must consider how their business can meet, and will continue to meet, all of its ongoing obligations. This flexibility does not mean that there are no constraints: whatever the size of the business, directors need to make sure their business has an appropriate approach to compliance.

Some key things licensees should carefully consider in relation to their risk and compliance programmes include:

• Outsourcing: The FMCA regime is unique in that it allows for highly outsourced models. However, outsourcing does not absolve the licensee of responsibility for the performance of those functions. Instead, third party supplier risk needs to be actively monitored and managed. Licensees should review the robustness of service agreements, with a focus on ensuring they are fit for purpose and address any risk. Businesses also need to demonstrate that they are appropriately monitoring the delivery of outsourced functions, and have appropriate oversight over its outsource providers, to ensure the functions are adequate, effective and compliant with their licensee obligations. This performance monitoring programme should also align with the licensee’s overall compliance assurance programme.

• Risk management: Licensees need to focus on the ongoing identification and management of risk, outside just the process for the preparation and review of offer documents (which contain risk disclosures). Licensees should regularly identify and address key risks that could affect business and customer outcomes. Directors should have a clear understanding of what “materiality” looks like for their business and communicate this to all relevant stakeholders. This should also form part of any regular board reporting, so that directors can turn their mind to risk. If no risks were identified in the preceding period, this should be noted in reporting to the board. Cyber risk is a particular issue for many financial services businesses and boards should assess the robustness of their frameworks and processes to address this.

• Compliance assurance programme: As a minimum standard, licensees are

required to have a compliance assurance programme which sets out a programme of controls and activities to provide its board with assurance about the operation of the compliance systems. There is no preferred model so licensees are able to adopt a programme appropriate to the nature and size of their business However, a good compliance assurance programme should include:

• an explanation of the roles and responsibilities for overseeing compliance in the organisation as well as the skills and qualifications of the person (who may be external to the organisation) who performs the independent checks;

• a register setting out a list of the obligations;

• a plan for testing and monitoring controls that gets reported back to the oversight body;

• examples of how findings are reported and fixed; and

• details of how agreements with clients and outsourced providers are monitored and how failures are reported and addressed.

An overseas perspectiveIn Australia, the Australian Securities & Investments Commission (ASIC) recently released a report on its findings on responsible entities’ compliance with obligations from its 2016 proactive surveillance program (available here).

While the Australian regime is different, and ASIC has differences in approach from the FMA, there is value in comparing ASIC’s findings and recommendations with what is expected here.

To assist responsible entities, ASIC has made a number of recommendations to improve “what good looks like” including:

• ensuring professional indemnity coverage is adequate for the nature, size and complexity of the responsible entity’s business;

• reviewing and, where necessary, strengthening their conflicts management measures;

• reviewing custody measures to ensure they meet the requirements;

• accountability from top management about disputes;

• reviewing and strengthening existing cyber resilience measures;

• focusing on the board’s role in influencing the culture of the organisation;

• alignment of remuneration, rewards and incentives with the values of the responsible entity;

• having in place appropriate whistle-blowing measures; and

• measures that reflect a consumer-focussed culture.

What next?We recommend that all boards of licence holders turn their minds to how their business may need to change to adapt to the new environment.

As a starting point, directors and senior managers should ask themselves the questions at the back of the Conduct Guide (see here) to understand what the FMA is looking for in terms of good conduct, and what they will be asking when they monitor and engage with licensees. However, this should not be regarded as a simple checklist or manual. Instead, the questions should be seen as starting points for enquiry. Licensees are accountable for ensuring their governance frameworks, controls and culture are appropriate to support good conduct throughout the business. Directors and senior managers need to think hard about whether their existing frameworks and systems are “fit for purpose” for ensuring compliance with the minimum standards and other licensee obligations, as well as whether they facilitate the FMA’s expectations around conduct and culture.

The FMA are also currently in the process of completing their post-licensing monitoring visits. In addition to implementing any mandatory changes, we encourage licensees to take on board the FMA’s recommended changes or carefully consider how their existing policies and practices address any issues identified.

Finally, the FMA have said they will take a “don’t tell me, show me” approach to monitoring

and engagement. Licensees need to be able to practically demonstrate to the FMA how they are meeting their obligations, how they are developing a good culture, and how they are putting customers’ interests at the heart of everything they do.

If you have any questions in relation to governance or compliance for licensees, please contact one of our experts.

Lloyd Kavanagh, Chair and Partner lloyd.kavanagh@minterellison.co.nz +64 9 353 9976

Samantha Zhang, Solicitorsamantha.zhang@minterellison.co.nz +64 9 353 9807