The FMA has released a consultation paper on proposed standard conditions of licences granted under the Financial Markets (Conduct of Institutions) Amendment Act 2022 (COFI Act). Submissions are due in early September and you can find a link to the consultation paper here.
The COFI Act was passed into law on 29 June 2022 and is intended to come into force in early 2025. The Act introduces a new regime regulating the conduct of financial institutions, which is centred around a new overarching fair conduct principle and the establishment of a fair conduct programme to operationalise that principle.
The new regime also requires registered banks, licensed insurers and licensed non-bank deposit takers providing relevant services to consumers to operate under a ‘financial institution licence’ issued by the FMA. All licence holders and each of their authorised bodies will need to comply with the standard conditions of their financial institution licence. The FMA is expecting to start accepting licence applications in mid-2023. The FMA is currently developing the licence application form and preparing a guide with details on how to apply.
The FMA is proposing in this round of consultation to impose six standard conditions on financial institution licences. These standard conditions are largely consistent with those imposed on other licences issued by the FMA, such as the standard conditions imposed on financial advice provider licences. The proposed conditions relate to:
A financial institution must at all times continue to satisfy the various requirements for licences, such as directors and senior managers meeting fit and proper criteria. This standard does not prevent organisations from making changes to their business, provided that the organisation can continue to meet its licensing requirements.
A financial institution must notify the FMA in writing within 10 working days of implementing any material change to the nature of its financial institution service. The conditions will include an explanatory note with guidance on what is considered to be a "material" change in the context of a financial institution service.
A financial institution must provide the FMA with the information the regulator needs to monitor the institution’s ongoing capability to effectively perform its service. This will include updated information on the financial institutions fair conduct programme and the nature, size, and complexity of the financial institution service. The FMA intends to consult with industry further prior to publishing any requirements for regulatory returns.
If a financial institution outsources a system or process necessary to the provision of its service, it must be satisfied that the provider is capable of performing the service to the standard required to enable it to meet its market services licensee obligations. The FMA's comments note that this condition is not intended to cover distribution arrangements (ie there is no intended overlap with other obligations in the COFI Act concerning intermediaries).
A financial institution must have and maintain a business continuity plan that is appropriate for the scale and scope of its financial institution service and must notify the FMA of any event that materially impacts the operational resilience of its critical technology systems. This proposed condition differs from the equivalent condition for financial advice provider licences in that material events are required to be notified to the FMA within 72 hours of discovering such an event (the notification period under the standard condition for financial advice provider licences is significantly longer at 10 working days). The consultation paper notes that the shorter 72 hour notification requirement recognises the critical nature of financial institutions’ technology systems "to the maintenance of a sound and efficient financial system and insurance *sector". It is unclear if this is an inadvertent reference to objectives usually pursued by the RBNZ, rather than the FMA. In any event, we expect it would be helpful for all concerned if there is a clarity of focus, roles and processes in the event of a business continuity event.
A financial institution must create in a timely manner and maintain adequate records in relation to its services. The explanatory note anticipates that records should include:
-
the financial institution's fair conduct programme;
-
records that demonstrate how the financial institution has established, implemented and maintained the fair conduct programme;
-
records that demonstrate how the financial institution has taken all steps to comply with its fair conduct programme; and
-
records that demonstrate that the financial institution has undertaken regular review of that programme and that any deficiencies have been promptly remedied.
Submissions close 5pm on Wednesday 7 September 2022. Following this, the FMA will review the submissions and finalise the standard conditions. These finalised conditions will then be published on the FMA website.
Key considerations
The COFI Act imposes many new obligations on financial institutions including the duties to establish, implement, maintain and comply with fair conduct programmes comprising effective policies, processes, systems and controls that are designed to ensure compliance with the fair conduct principle. Given the impending imposition of these obligations, we recommend organisations begin considering how these obligations inter-relate in order to ensure that their fair conduct programmes can be efficiently implemented and recorded.
Financial institutions will also need to ensure that they have effective systems in place to not only ensure that their fair conduct programme is fit for purpose, but also that it continues to be fit for purpose, so long as they continue to provide relevant services to consumers. While we anticipate there will often be alignment between financial institutions and the FMA as to their approach to their fair conduct programmes (that is, it is in the interests of both financial institutions and the FMA for financial institutions to be operationally resilient), organisations should still remain conscious of the greater powers that the FMA will have once the financial institutions licences are in place. By way of illustration, ASIC last week released an article commenting on the recent ASIC v RI Advice Group case, in which an Australian financial services licensee was found to have breached its licence obligations after failing to adequately manage its cybersecurity risks and ensure the financial services covered by its licence were provided fairly and efficiently.
Do get in touch if you'd like to discuss the development of your organisation's fair conduct programme or the FMA's current consultation on the standard licence conditions.
This article is intended only to provide a summary of the subject covered. It does not purport to be comprehensive or to provide legal advice. No person should act in reliance on any statement contained in this publication without first obtaining specific professional advice. If you require any advice or further information on the subject matter of this newsletter, please contact the partner/solicitor in the firm who normally advises you, or alternatively contact one of the partners listed below.