Financial Law Insight



FMA’s Supervision Insights

The FMA’s review was designed to identify deficiencies and breaches, rather than highlight good practices – and accordingly the report focuses on adverse findings. The report notes that while a large part of the industry is working hard to move towards the regulator’s expectations, problem areas remain – mostly as a result of a casual or careless approach to conduct and compliance.

The FMA has clearly signalled that it expects all financial markets participants to consider the findings and recommendations in its report – and that given the maturity of the regulatory regime and clear expectations of the regulators, entities can expect robust enforcement by the FMA in the event of any failure to meet obligations.

This fact sheet summarises the key findings of the report and sets out simple steps entities can take to improve their regulatory and compliance regimes.

Corporate governance

The FMA found a lack of good corporate governance in some entities, which it considered likely to compromise the governing body’s ability to oversee the entity and provide appropriate direction to management.

Do Don't
  • Ensure your boards are educated on the relevant regulatory requirements (including the principles relating to board composition, performance, and risk management) using the resources produced by the FMA.

  • Ensure your directors/trustees spend enough time understanding the entities they govern and applicable regulatory requirements – rather than solely relying on the FMA’s monitoring (proactive vs reactive).

  • Regularly review the effectiveness of the board, including the criteria for what constitutes an ‘independent’ director/trustee (if relevant)

  • Simply assume that your directors/trustees understand all of their general corporate governance obligations or the entity’s obligations.

  • Assume continued board independence, particularly where your directors/trustees have been serving for a long period of time.

  • Provide inadequately detailed reporting to the board (or, conversely, provide overly lengthy documents).



Risk and compliance resourcing

The FMA found a number of entities with insufficient resources to support the management of risk and compliance.

Do Don't
  • Design risk and compliance frameworks that are fit for purpose and right-sized.

  • Allocate sufficient resources to risk and compliance to ensure you successfully identify and manage risks and comply with your regulatory obligations.

  • Clearly define risk and compliance responsibilities both within teams supporting these areas and within frontline staff who identify and manage risks on a day-to-day basis.

  • Ensure your compliance managers have adequate knowledge of policies, operating models or obligations.

  • Ensure that the effectiveness of your resources are being monitored to confirm your objectives are being achieved

  • Forget to renew, update, and define functions and responsibilities that are assigned to roles in managing risk and compliance.

  • Adopt policy and procedure compliance frameworks that are not tailored and inadequately reflect the intention and purpose of your business.

  • Create compliance frameworks that are going to be too ambitious to implement.

  • Allow frontline teams insufficient time and resources to adhere to your obligations.

Oversight of third party providers

The FMA found a number of deficiencies where entities' oversight of the outsourcing of functions to third parties including investment management, distribution/sale of products, compliance assurance, and IT services.

Do Don't
  • Ensure outsource arrangements are appropriately documented.

  • Undertake due diligence on your outsource providers before engaging them.

  • Ensure you carry out due diligence on an ongoing basis, and do not solely rely on the information provided by the provider.

  • Review your outsourcing provider arrangements at a frequency appropriate to the risk involved depending on the nature and importance of the outsourced service.

  • Waive the responsibility for having a formal and adequately detailed agreement with your outsource providers (even if the provider is within the same corporate group), or for having formal periodic review and monitoring of controls in place.

  • Fail to monitor the performance of your outsourcing providers.

  • Simply assume that your outsource providers have the required authorisation, licence, or registration – do your own due diligence.

Supervisor monitoring

The FMA reviewed the monitoring programmes licensed supervisors are required to have for overseeing the operation of managed investment scheme managers and other financial service providers.

Do Don't
  • Ensure planned monitoring includes relevant known risks, and takes into account sector-based risk assessments.

  • Prioritise monitoring based on risk (and not revenue) and apply a sense of urgency and focus on any issues identified.

  • Clearly document any associated controls, if custodial functions are outsourced./p>

  • Rely on discovering risks at a later date by failing to be proactive from the start with the risk-based monitoring programmes.

Conduct and culture

The FMA expects all financial service providers to effectively identify, manage, remediate, and report to the FMA on conduct risks and issues to deliver consistently good outcomes for customers.

Do Don't
  • Undertake and document an assessment of your business in line with the principles in the FMA Conduct Guide and other FMA guidance, and address any gaps.

  • Consistently revisit your processes and the treatment of your customers to assess whether these lead to the best outcomes you can deliver for your customers.

  • Think and act beyond the minimum legal and regulatory standards so customers can maintain trust and confidence in financial institutions and systems.

  • Ensure your boards and senior leaders are encouraging good conduct, and provide the appropriate resources and support.

  • Ignore conduct that falls short of the FMA Conduct Guide principles or lack commitment to implement change in this area.

  • Disregard feedback and insight from your customers and advisers, or fail to prioritise your customers’ needs.

  • Tolerate inconsistency in approaches for identifying and dealing with customer complaints or have sufficient internal policies and processes for reporting conduct issues.

  • Provide sales incentives that encourage staff to sell more products without ensuring there are adequate controls in place to address the conflicts of interest arising.

Compliance Assurance Programmes

The FMA reviewed whether derivatives issuers, discretionary investment management service providers, and managed investment scheme managers met the requirement to have a Compliance Assurance Programme (CAP).

Do Don't
  • Have a CAP in place that challenges and tests the design and operations of your processes and controls.

  • Ensure the CAP operates as intended, and includes the minimum standards of independent testing.

  • Review the CAP frequently to ensure it reflects current processes and controls, and operates as intended.

  • Ensure your board obtains the assurance required to exercise its duties, and conducts reporting and testing as planned.

  • Review the FMA’s 2018 Compliance Assurance Programmes information sheet.

  • Fail to complete or implement a CAP – it is a minimum requirement for licensed entities.

  • Only consider a narrow set of obligations, such as the NZX rules – wider entity obligations must also be covered.

  • Allow the CAP to lack sufficient detail about obligations or roles, and the responsibilities for overseeing its operation.

  • Overdo the CAP, making it too complex and not effective to operate. It must be fit for purpose and right-sized.

  • Combine CAP requirements with your other internal policies. This can create ambiguity resulting in a lack of a clear testing plan.

Compliance and controls

The FMA reviewed licensed entities’ compliance with their obligations. The FMA expects entities to comply with all of their licensing obligations, and engage with the FMA if they find compliance issues.

Do Don't
  • Provide the FMA with early notice of any potential issues, as doing so allows for more assistance to resolve issues and minimize any potential harm to investors.

  • Have adequate processes in place to detect and resolve any issues that arise.

  • Revisit your financial markets conduct compliance obligations if there has been a change of ownership or integration into another business.

  • Ensure the appointment of appropriately qualified and experienced directors.

  • Fail to implement all of the policies, processes, and controls you told the FMA you had at the time of licensing.

  • Fail to meet the licence condition of maintaining the same or better standard of capability, governance, and compliance as was the case when the FMA assessed your license application.

  • Provide information to the FMA that is incorrect or potentially misleading.

Misleading information

The FMA reviewed entities’ ability to communicate clearly and honestly with their customers.

Do Don't
  • Ensure you have processes and controls in place to cover all obligations required, and to ensure that no disclosure documentation, advertisements, or other communications are false or misleading.

  • Ensure customers’ decisions are based on fair understanding of your financial products and services, and their risks and benefits.

  • Consider instructing different staff in your business to undertake customer-facing documentation sign-off processes as a check on identifying potentially misleading content.

  • Focus only on the benefits of your products and services – instead, provide balanced information by explaining the related risks.

  • For Authorised Financial Advisors – promote yourself as independent if you do not meet the definition of ‘independent’.

  • Use the term ‘broker’ if you are not offering broking services as defined in the legislation.

  • Inadequately explain the terms and conditions of an incentive to your customers.

Internal policies and procedures

The FMA found numerous examples where entities’ internal policies and procedures were not fit for purpose, and/or were not subject to regular reviews and monitoring. The FMA expects entities to comply with their obligations by having an appropriate set of policies and procedures that are suitable for the size and nature of the entity.

Do Don't
  • Comply with the requirements in the standard conditions and minimum licensing standards that require you to maintain internal policies and procedures.

  • Put in place policies and procedures to ensure your customers receive fair and transparent outcomes.

  • Review your internal policies and procedures periodically, especially when there are changes in your business, to ensure they remain current and fir for purpose.

  • Effectively communicate the policies and procedures to your staff to ensure they are understood and followed.

  • Provide policies and procedures at a group or parent company level and have insufficient detail specific to your business.

  • Rely on policies that are too complex for a small business or generic templates that are not sufficiently customised to your business.

  • Fail to keep evidence of periodic reviews of your policies and procedures, or fail to undertake these reviews in a timely manner.

Employee training

The FMA found some weaknesses in the design and delivery of staff training.

Do Don't
  • Ensure that appropriate training is provided to your staff and records of training are maintained.

  • Provide staff with a range of options to learn about their obligations. These may include facilitated sessions, online learning modules, webinars, seminars or conferences, formal study through a training institute, reading documents, and participating in discussions.

  • Limit training to some staff in your business over others.

  • Provide only one avenue for staff to receive training

  • Provide out-of-date material as the basis for staff training.

  • Outline training programmes in your plans then fail to implement them.

Acting without authority

The FMA expects entities to hold the appropriate authority for the actions they take on behalf of customers.

Do Don't
  • Obtain the correct consent before acting on behalf of a customer.

  • Treat customers as ‘eligible investors’ without obtaining the appropriate certification.

  • Obtain consent from only one trustee (where your customer is a trust) when acting on behalf of your customer.


The FMA was clear in its report that it is disappointed with a number of financial markets participants’ efforts to genuinely adopt and implement the governance and conduct frameworks expected of licensed entities. The FMA was also clear that the regime is now sufficiently mature and the regulators’ expectations clearly set out – that further non-compliance will not be acceptable and the FMA will consider using its enforcement powers.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dentons | Attorney Advertising

Written by:


Dentons on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.