GRC in Malta: Preparing for Regulatory Compliance Visits - Best Practices for Success
February 23, 2024
The receipt of a letter informing a licence holder that the MFSA will carry out a compliance visit is generally met with trepidation at best, and often with panic. However, regulatory compliance visits are an integral part not only in ensuring that an institution continues to meet its legal requirements but also serve to maintain an open channel of communication between the regulator and the institutions which it supervises.The issue as to whether an upcoming compliance visit is a cause for alarm is dependent on the level of preparation. Regulatory compliance is not a one-time meeting with the regulator, it is an ongoing process of updates and improvements. It is only by being committed to dedicate the necessary time and resources to compliance that such visit can be successful.Knowledge is powerStaying up to date on regulatory developments is probably the most significant challenge which licensed entities face from a compliance perspective. The regulatory framework is a myriad of legislation, regulatory standards, rules and guidelines which are constantly evolving and staying up to date with changes is the essential first step in compliance. Smaller institutions may find it challenging to dedicate resources to carry out thorough horizon scanning of regulatory developments; however, solutions do exist. Subscribing to sector-specific regulatory updates and newsletters can provide a snapshot of the main developments. Regulatory bodies also publish various regulatory updates and circulars which provide invaluable insight on supervisory priorities and what their expectations are in this respect. The MFSA also publishes circulars on its findings from thematic reviews and compliance visits which can inform licence holders what to expect from the next compliance visit.Periodic training on compliance requirements ensures that everyone is aware of what is required and what their role is in meeting those requirements.Policies and documentationBeing aware of regulatory developments and understanding compliance expectations is a crucial first step – the next step is implementing such knowledge. A robust compliance framework which includes properly documented policies, procedures and internal controls aligned with current regulatory requirements ensures a smooth regulatory compliance visit. Policies and procedures should be regularly reviewed and updated, not just in line with regulatory requirements but also to reflect updated operational practices. This is also true for contractual arrangements which should appropriately and accurately reflect the relationships between the licensed entity and third parties. For instance, the MFSA has often highlighted shortcomings in the documentation of intragroup outsourcing arrangements, with various thematic reviews finding that documentation of such arrangements was not in line with regulatory requirements or even that there was no documentation at all for such relationships.OrganisationThe notification letter preceding a compliance visit will usually contain a list of policies, agreements, report samples or other documentation to be sent to the regulator prior to the visit and which will be discussed during the visit. Having a well-structured, centralised, easily accessible digital documentation system makes it easier to carry out periodic reviews of documentation to determine whether anything needs to be updated and goes a long way in ensuring that everything is in place for a plain-sailing compliance visit.TimelinessBeing able to easily access and search for documents is also helpful in identifying any gaps in documentation in a timely manner so that instead of wasting valuable time trying to track down where certain policies are saved or rummaging through email correspondence to figure out which is the latest version of a particular agreement, the licence holder can focus on identifying and remedying any gaps in documentation. Licence holders are generally given short timeframes within which to provide documentation and replies. While this may seem unfair, this is based on the expectation that the licence holder is in line with its compliance requirements, and the compliance visit is a routine check to better align documentation and practices which are already compliant with regulatory expectations.Such expectation is arguably legitimate since licence holders are legally required to be up-to-date on their compliance requirements however even with the best of efforts, given the volume of requirements to be adhered to, some matters can fall through the cracks. In such cases, such shortcomings need to be remedied proactively. All too often, external legal advice is sought when deadlines are about to expire which limits its effectiveness, so it is important to think ahead and recognise early on when legal advice is needed.ClarityDuring the compliance visit itself, cooperation with the regulator through transparent communication goes a long way in facilitating the process.The compliance officer should act as the main point of contact and oversee the compliance visit to ensure that the regulator receives accurate and timely information. The compliance officer should also coordinate internally for any necessary input and identify whether other persons should also be in attendance during the meeting. Depending on the focus of the compliance visit, persons who are more familiar with the operations of the entity may also need to attend to better explain how certain procedures are applied in practice. Co-ordination takes work, therefore it is useful to simulate the compliance visit and go through how the visit is likely to proceed and determine who will be taking the lead in answering any questions listed in the notification letter and those which are likely to come up during the visit. Reading up on past findings of the MFSA during past compliance visits gives an indication of issues which are likely to come up during the compliance visit.A cover letter should always accompany any communications, particularly any documentation sent since this helps in ensuring that nothing is missed, and any pertinent background information can also be included. This is also helpful in maintaining a record of what has been sent to the regulator and when.An ongoing commitmentA successful regulatory compliance visit is predicated on whether the licence holder maintains an ongoing commitment to stay on top of regulatory requirements and update its documentation in line with such developments. Having a well-structured, digital documentation system greatly facilitates this review process and allows for any shortcomings to be quickly identified and addressed, including by reaching out to external legal advisors for their input. In this way, being notified of an upcoming compliance visit need not be a cause for major concern and instead, any replies or documentation required can be provided in a clear and timely manner.This article forms part of a series of publications focusing on cross-sectoral matters relating to governance, risk, and compliance. This series aims to offer legal and practical insights, a valuable resource for understanding and navigating the dynamic landscape of GRC in Malta.This publications was first published in the Times of Malta on 28th January 2024.Author: Sarah Louise Azzopardi (Associate, Ganado Advocates)