The MFSA has been working extensively since 2019 to bring about wholesale changes to the company service providers (CSPs) regulatory regime.  The recently published CSP (Amendment) Act 2020 marks the first step in implementing this reform.  As part of its efforts to reform the sector, the authority launched an updated rulebook for consultation, which is fully aligned with the act and which establishes detailed rules on the governance systems, core functions and capital requirements expected of CSPs. 

In essence, this translates into higher expectations from CSPs to strengthen their governance structures and upgrade their systems, policies and procedures.

As stated in the MFSA’s Vison 2021, the governance, culture and conduct of all market players in the financial services industry directly impacts the integrity and stability of the financial market.  Upon launching the new rulebook, the MFSA issued an additional consultation document focused primarily on three areas which have been put forward for the industry’s consideration. 

Taking centre stage is the risk management function.  In a previously issued feedback statement, the authority confirmed that it would be requiring CSPs to enhance their risk management framework.  This would involve establishing a risk management function which implements adequate risk management policies and procedures; identifies risks relating to the CSP’s activities, processes and systems; and sets the level of risk tolerated by the CSP.

An effective risk management framework seeks to provide the foundations and organisational arrangements necessary for creating, implementing, monitoring, reviewing and continually improving a company’s risk management function. 

The framework should ensure that risk-related information derived from the risk management process is adequately reported and is used as the basis for decision-making at all levels of the company’s organisational structure. 

A typical framework should identify risks the company is exposed to or could potentially be exposed to; analyde and then evaluate the identified risks; manage risks through the establishment of remedial actions; and monitor risks and the effectiveness of remedial actions. 

It is crucial that licence holders are able to identify a broad and representative set of risks which the company may face when conducting its operations. While exposures to money laundering and terrorism financing are universally acknowledged, this is but one of the many risks CSPs should be cognisant of. It is therefore crucial that CSPs invest in the necessary framework which will enable them to take a holistic approach to enterprise risk identification.

Risk management involves analysing and developing an understanding of a company’s risk exposures from a qualitative and quantitative perspective.  The risk management framework must therefore consist of a weighted analysis of each risk and the corresponding mitigation measures. 

Once a company has identified and quantified its risks, it should use such outcomes to assist it in prioritising certain management actions, as well as determining which risks need to be managed above all others.   Companies should endeavour to form a reasonable and defensible judgement of the magnitude of any risk with respect to both the impact it could have on the company, and the probability that such an event will occur. 

In addition, the board and senior management are to collectively determine the company’s risk appetite, based on an assessment of the losses the company can afford to sustain in the event a given scenario materialises.

Having assessed its risks and determined its appetite, a company should take proactive steps to manage and control such risks.  Action plans should be prepared, at least annually, recommending the implementation of countermeasures aimed at mitigating risks. When considering countermeasures, risk officers should take into account the company’s attitude towards risk and recommend these to the board.

Ongoing monitoring is the final but vital aspect of any risk management function.  It involves the periodic or ad hoc reassessment of risks identified and should be a key feature of any company’s governance culture.

The introduction and success of any risk management plan will hinge on the board and the risk function’s sustained commitment, as well as strategic and rigorous planning to ensure that an effective risk management sentiment is present across all levels of the organisation.

Daniel Attard, senior consultant, Seed Consultancy

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.