The Fit and Proper operational ability requirements set out in Board Notice 194 of 2017, are very clear and comprehensive. In brief, an FSP must have and be able to maintain the operational ability to fulfil the responsibilities imposed by the FAIS Act on authorised FSPs, including:
- a fixed business address,
- adequate access to communication facilities (phone or cell phone service),
- adequate storage and filing for the safe-keeping of records and business correspondence, and
- a bank account.
Besides the general requirements to have suitable human and technology resources to effectively function and render financial services for which it is authorised, an FSP must also have an effective Governance Framework in place. This Governance Framework provides for the practical management and oversight of the financial services that the FSP provides and it must also ensure the fair treatment of clients by integrating the TCF principles into the policies.
These Fit and Proper regulations recognise that not all businesses are the same, therefore each FSP must implement a framework that is appropriate or proportionate to the nature, scale, risk and complexity of the business. There is a long list of requirements that should be included in such a Governance Framework. Here are just a few of the plans, procedures or policies that should be included:
- Risk Management Plan (including risk policies and procedures) that can help the FSP identify the risks and show the tools or measures used to mitigate such risks.
- Business Plan which enables the FSP to demonstrate the aims and scope of the business and the business strategies and goals.
- Security Policies that show how the FSP will safeguard the security, integrity and confidentiality of information. This includes physical security of assets and records, back-ups of data and disaster recovery plans. It further requires FSPs to consider appropriate measures to deal with cybersecurity threats.
- Masthead offers a Cybersecurity Online Course that will help you and your staff identify cyber threats and safeguard your FSP against cybercrime. Find out more about this course on the Masthead Learning Centre.
- Accounting Policies which will enable the FSP to report a true and fair view of its financial position to the FAIS Registrar.
- Remuneration Policy which should show that the FSP’s remuneration policies and practices promote the alignment of interests of the FSP with those of its clients.
Governance requirements: Additional requirements applicable to FSPs that provide automated advice
Where FSPs provide automated advice (e.g. robo-advice that uses algorithms and technology, without the direct involvement of a natural person) there are additional requirements that they must meet. For example, they must show that their staff have the required competence to understand the technology and algorithms used to provide the advice. Such FSPs also need to monitor and review the automated advice generated by algorithms and ensure the quality and suitability of the automated advice.
While the Fit and Proper requirements come into effect on 1 April 2018, this requirement relating to automated advice only comes into effect one month later, on 1 May 2018.
Outsourcing of functions to a person other than a Representative of the FSP
There is a new requirement being introduced for FSPs that outsource some of their functions to other parties. In simple terms, where an FSP outsources certain functions (e.g. functions that the law requires it to perform or important operational functions) the FSP must ensure that the person to whom the function is being outsourced is capable and authorised (if needed) and the FSP must have measures to assess the standard of performance of the outsourced delivery.
They should have a written agreement in place which governs the outsource arrangement and also addresses the rights, responsibilities, service-level requirements and access by the FSP and Registrar to the business and the information.
Dealing with this increased operational responsibility
Many of these changes are consistent with the Regulator’s journey to more principle-based regulation. While rules are clear and certain, principles come with potentially more openness and interpretation and therefore require more time by FSPs to apply their minds to the impacts in their businesses. Looking forward, we cannot help but link these new requirements to the Conduct of Business Report that has already been communicated by the FSB and which we expect to see in operation either this year or next.
For assistance in dealing with these changes, we recommend that you attend our Risk Management workshop where we address the risks in each area of the business including: operational; human resources; advice and customers; marketing; strategic and financial, and provide you with tools to draft your own policies and procedures.
To read the full Board Notice, click here.