During the course of 2015, the Conduct Supervisory Unit (‘CSU’) within the MFSA sent a Thematic Review Questionnaire (‘TRQ’) to 60 authorised trustees and fiduciaries varying in size, type and business model. The TRQ focused specifically on the governance structure of authorised trustees and other fiduciaries and was designed to verify the extent to which selected companies have proper governance structures in place.

Following receipt of data from authorised persons, an extensive desk-based review of information provided was undertaken. This included a review of the key areas of operation including an assessment of the internal controls in place. Based on the outcome of the desk-based review, the CSU conducted a number of onsite compliance visits and/or meetings with Directors.

during the course of 2016, the CSU plans on carrying out a number of focused onsite visits or meetings to trustees and other fiduciaries which may, but not exclusively, focus on corporate governance

On the 30^th December 2015, the MFSA issued a circular to authorised trustees and other fiduciaries pursuant to the above-mentioned thematic review, the purpose of which is to inform the industry about the MFSA’s findings in order to encourage authorised persons to take corrective action in relation to lack of observance of regulatory and compliance standards.

In the circular, the MFSA also indicated that during the course of 2016 the CSU plans on carrying out a number of focused onsite visits or meetings to trustees and other fiduciaries which may, but not exclusively, focus on corporate governance.

Business Plan

The MFSA noted that most authorised persons do not have a formal business strategy and/or strategic plan which should include amongst others the levels and types of business to be accepted. In the absence of such strategy it is not possible for entities to monitor the performance against a devised and approved business strategy.

Directors

It resulted that most board of directors’ meetings are held informally and infrequently, whereby minutes of discussions held are not duly minuted. The MFSA confirmed that it expects that regular Board of Directors meetings are held demonstrating that at least two directors are involved in the decision making process and that proper minutes are recorded. Furthermore the Authority expects that a formal agenda in preparation for the Board of Directors meetings is circulated to all directors allowing sufficient time for directors to review, participate actively and be able to make informed decisions during Board Meetings. It resulted that some board members have multiple involvements both in regulated and unregulated companies. In this regard the Authority highlighted that when accepting the position of director, the person nominated must ensure that he has sufficient time to dedicate to such a role and is aware of the affairs of the authorised entity.

Committees

The MFSA noted that whilst most authorised persons have a medium or small set up which results in the directors playing an active role in the management of the affairs of the authorised entity, there are other entities which form part of larger Groups and which in the opinion of the Authority merits having committees in place which should be properly structured. In addition the Authority expects that the Board of Directors formally approves the appointment of the Committee members as well as the Terms of Reference relating to the operations of such Committees.

Conflicts of Interest Policy

In terms of Article 21(1) of the Trusts and Trustees Act, authorised persons should act in utmost good faith and avoid any conflict of interest. The Authority noted that some board members might be involved in other authorised persons in terms of the Trusts and Trustees Act. This could give rise to potential conflicts of interest. Consequently, due to the onerous fiduciary obligations of trustees, the MFSA re-iterated that it expects trustees to implement a formal conflicts of interest policy.

Assessment of Risk

due to the onerous fiduciary obligations incumbent upon trustees, the MFSA re-iterated that they are expected to implement a formal conflicts of interest policy

The findings of the thematic review indicated that risk assessment is not properly undertaken by most authorised persons. The Authority expects all authorised persons to identify their key operational risk areas. Such exercise is expected to include details of the risk tolerance limits which the entity is authorised to take and measures as to possible ways to mitigate any operational risks. The Authority also expressed concern with the authorised persons’ perception of risk. Most of the entities indicated that they have a low risk appetite but at the same time also indicated that they have clients from high risk jurisdictions. In this regard authorised persons should conduct a proper risk appetite assessment and devise a risk policy to reflect this and to take necessary measures to mitigate risks.

Professional Indemnity Insurance (PII)

Following the amendments to the Trusts and Trustees Act which were issued on 25th April 2014, authorised persons were required to have in place Professional Indemnity Insurance within six months. It was noted that not all authorised persons have in place this PII cover within the transitionary period stipulated by law. Furthermore it was noted that even though authorised persons might have a PII in place this is not adequate with respect to the level of business undertaken. The Authority expects that adequate PII cover is in place for all authorised persons without delay.

Staff

The MFSA noted that staff training, including training of directors appears to be either limited or inadequate. The Authority expects authorised persons to ensure that they have in place formal procedures with clear reporting lines which should be made known to employees. Moreover the Authority expects authorised persons to have a yearly training programme in place and that this includes training specific to trusts and fiduciary obligations.

Record Keeping

(i) Retention of documentation

The Authority expects that adequate PII cover is in place for all authorised persons without delay

The Authority noted that some entities have a system in place whereby client records are only held in hard copy. The Authority however expects authorised persons to retain copies of all relevant documents applicable to their fiduciary business. The Authority is aware that a number of authorised persons retain client records in both paper and electronic format. In the latter case, it expects records to be regularly backed up, with backups kept off-site in a secure place. The Authority is aware that a number of authorised persons forming part of a group operate from the same premises. Such authorised persons are expected to ensure that confidentiality is safeguarded at all times and client records are only accessible to authorised staff members. Another predominant issue that was encountered during such onsite visits is the retention of proper documentation with respect to clients that have not terminated the fiduciary relationship but are no longer being serviced by the authorised person, mainly due to such authorised persons having lost contact with the ultimate beneficial owner/s. In this respect, the Authority expects authorised persons to ensure that all possible venues of communication are utilised and proper records are retained that indicate the attempts that have been made to try and re-establish contact.

(ii) Clients’ lists

The Authority expects authorised persons to hold proper clients’ list which are kept up to date and can be readily available upon request.

Business Continuity Plan (BCP)

The Authority noted that Business Continuity Plans are not always formalised by authorised persons. The lack of a formal Business Continuity Plan is in breach of the requirements of the Rules applicable to trustees and fiduciaries. It was also noted that even though a number of authorised persons have in place a BCP, this deals only with business disaster recovery that focuses solely on the recovery of the IT system and does not extend to other areas which are similarly critical to the operations of authorised persons, such as succession planning. Finally the Authority is concerned to note that a number of authorised persons either appear to have never tested the BCP or else this is done informally and is not carried out on a regular basis. The Authority expects records of these tests to be retained by the authorised persons.

Outsourcing

The Authority noted that even though authorised persons delegate certain functions to third parties an outsourcing agreement is not always entered into. The Authority expects that formal agreements be entered into with respect to any outsourced function irrespective as to who is providing the service and that such agreement should specify the services to be provided, accessibility to information and records and extends to confidentiality matters since the third party will be privy to confidential information about clients.

Other Issues

During the desk-based review and/or onsite compliance visits other issues were identified as follows: (i) The Authority noted that a number of authorised persons did not provide information on their bank accounts, the signatories and their reconciliation process in the questionnaire sent by the Authority as part of the thematic review. The Authority expects that all authorised persons have in place a procedure whereby bank reconciliations, especially for those bank accounts that hold clients’ monies, are carried out on a regular basis. Moreover such reconciliations should be duly signed and dated and that the process of reconciliation should comply with the four-eye principle; (ii) Reconciliation of the underlying trust assets including, but not limited to, shares held in companies etc. are not carried out on a regular basis; (iii) Structures that include various layering are sometimes in place. The Authority expressed concerned that often the authorised entity is not in a position to clearly explain the reason behind such layering and often appear to rely on the advice received from third parties; (iv) Certain sections on the thematic questionnaire were either not properly answered by authorised persons or else conflicted with other sections within the same questionnaire.

Other Important Matters

• As per the Trusts and Trustees Act, an authorised trustee or fiduciary must have a minimum of three directors. During onsite visits and meetings with directors of a number of authorised trustees, it appeared that not all the directors are involved in the affairs of the authorised person. The Authority expects directors to be involved in the affairs of the authorised entity in accordance with their fiduciary obligations and have enough information available to make informed decisions during Board of Directors’ meetings. Approved directors are expected also to be able to provide information to the Authority about the affairs of the authorised entity and not merely refer any queries to those directors involved hands on in the day to day administration. The Authority expects authorised entities to comply with the four-eye principle, as per the Rules for trustees and fiduciaries, where the Authority requires that at least two independent minds be applied to both the formulation and implementation of the policies of the undertaking;

• In terms of Article 43 (4) (i)(d) of the Trust and Trustees Act, all trustees and fiduciaries, excluding administrators of private foundations, must have a minimum capital of fifteen thousand euros (€15,000), which it shall maintain throughout its duration. The two years transitory period to adhere to this requirement will expire on 25 April 2016 and all authorised persons are required to adhere to this requirement by the stipulated date. The minimum share capital aforementioned should be issued and fully paid up.