Back in the good old days, you needed an ashtray, a phone and a filing cabinet to be regarded as operationally okay. Some even went to such extremes as having a fax machine installed. This was regarded as being a little over the top, particularly those with the paper that faded to nothing in a few months, although those of a slightly less ethical disposition actually welcomed the gradual disintegration of the false evidence.
The new Fit and Proper requirements relating to operational ability sounds like it could have been created after declassification of KGB documentation, or perhaps employed the same methodology in arriving at the final outcome.
On a more serious note: these requirements are very important to safeguard the interests of your business and your clients, and will go a long way to assist you in running a professional business.
A FSP must have the necessary operational ability, including adequate and appropriate human, technical and technological resources, to effectively function as a particular category of FSP and to render the financial services in relation to the financial product for which it is authorized.
The usual suspects include:
- a fixed physical business address
- communication facilities, including a full-time telephone or cell phone service
- adequate storage and filing systems for the safe-keeping of records, business communications and correspondence;
- a bank account with a registered bank, including, where required in the Act, a separate bank account for client funds; and
- adequate and appropriate key individuals per class of business to effectively manage or oversee the activities of the FSP relating to the rendering of financial services. This key individual can be a single person responsible for managing or overseeing the rendering of financial services in respect of all or multiple classes of business of the FSP.
The governance framework of a FSP must be proportionate to the nature, scale, risks and complexity of the business of the FSP and should include effective and adequate systems of corporate governance, risk management (including conduct risk management) and internal controls. The following are listed:
- a business plan setting out the aims and scope of the business, the business strategies and related matters;
- risk management policies, procedures and systems
- adequate systems and procedures to safeguard the security, integrity and confidentiality of all types of information
- processes to ensure accurate, complete and timeous processing of data, reporting of information and the assurance of data integrity;
- accounting policies and procedures to enable the FSP to record, report and deliver financial reports which comply with the applicable reporting and accounting standards;
- sound and sustainable remuneration policies and practices which promote the alignment of interests of the FSP with those of its clients and which avoid excessive risk taking and unfair treatment of customers;
- a business continuity policy aimed at ensuring, in the case of an interruption to the FSP’s systems and procedures, that any losses are limited or, where that is not possible, the timely recovery of such data and functions and the timely resumption of those activities;
- a recovery plan for the restoration of the FSP’s financial situation following a significant deterioration and viable resolution plan setting out options for the orderly resolution of the FSP in the case of failure; and
- provide for regular monitoring and evaluation of the adequacy and effectiveness of its systems, processes and internal control mechanisms and measures to address any deficiencies
Can this work for you?
As pointed out, these requirements will lead to far more effective management and control of the business, but a lot of clarity still needs to be provided. How long is a piece of string?
For instance, the requirement that the governance framework of the FSP must be “…proportionate to the nature, scale, risks and complexity of the business…” raises the question about who determines the proportionality and adequacy of the framework, or is this only determined after a complaint and found to be substandard?
That would be retroactive, and in conflict with a proactive regulatory approach.
Click here to read the relevant section in the 2017 Determination of F & P.