4 tips for passing your first regulatory audit
Obtaining a FINMA licence is one thing, but complying with the supervisory requirements is quite another. So how do you avoid surprises when your first regulatory audit under FINMA is due? After passing our first, here are some insights to help you prepare for yours.
The date has been looming for three years, and now it’s come and gone: The transitional period for applying for a FINMA licence is over. According to FINMA’s latest guidance, 670 applicants had been granted a licence by the end of 2022, with about 1,000 licence applications still in processing.
We’re talking, of course, about the Swiss Financial Institutions Act (FinIA), which entered into force on 1 January 2020 and made financial institutions, such as portfolio managers and trustees, in Switzerland subject to a licence requirement. It also introduced a new supervisory regime.
Hindsight is the best insight to foresight.
Hindsight is the best insight to foresight, so the old Irish proverb goes. So whether you have your licence or not, you should build on what you learned during the application process and prepare for your first regulatory audit now. It will not only save you time and effort, but it will also prevent unwelcome surprises. And there’s no time to lose: After you receive your FINMA licence, you can expect the auditors to come calling within 12-18 months.
At Marcuard Heritage, we’re constantly learning from the past to better plan for the future. We hope the insights gained from our first regulatory audit will provide some foresight to help you better prepare for yours.
After the licence is before the audit
Those who have completed the FINMA licence application process know it is challenging. There are so many boxes to tick to satisfy the organisational obligations alone (FinIA, Article 9), which require you to “establish appropriate corporate management rules and be organised in such a way that [you] can fulfil [your] statutory duties.”
But after you’ve demonstrated that you have an appropriate organisation on paper, you must prove it in practice – and show that you can continue to do so for the foreseeable future. That’s why it’s crucial not just to create a concept but to set up a robust organisation with the proper procedures in place for your size and risk level. Then be ready to put it to the test during the audit.
Use the tips below to help you build a solid foundation and avoid unnecessary surprises.
1. Understand that one size does not fit all.
The obligation to have an appropriate organisation pursuant to Article 9 is universal, but the requirements vary from one type of financial institution to the other. For example, the stipulations for portfolio managers and trustees differ from those for securities firms. You must also account for the size and complexity of your business when applying the regulations, particularly when it comes to risk management and compliance functions. So be sure to implement policies and procedures that fit your organisation – processes tailored precisely to your services and capabilities.
A well-informed staff is critical, with deputy roles for key regulatory positions (e.g., compliance and risk management). If you can’t fill those roles internally, you can and should practice smart outsourcing. Carefully select, instruct, and supervise these partners; you’ll benefit from their support come auditing time, not to mention potentially reducing costs. But choose wisely. Providers who offer regulatory services but are not a good fit for your organisation might pass the FINMA application process but will fail the audit.
2. Train your staff proactively and continually.
Investing plenty of time and energy into training your staff now will pay dividends in the future. We have entered a new regulatory regime, and your entire team needs to understand what has changed and why. Use these training sessions to review the general requirements associated with the FINMA licence and then dive into the specific obligations of each role. What does your client-facing team need to know as opposed to back-office staff? For example, client advisers must inform clients of certain risks associated with investment services. What are the other rules of conduct? Furthermore, portfolio managers like Marcuard Heritage must always meet capital adequacy requirements. What should you and your staff be doing to monitor ongoing capital adequacy? Do you have sufficient internal controls in place and is your staff properly trained to run them?
Equally important is making this a routine and ongoing process. That way, your team won’t need a refresher course to get back up to speed before the next audit. After all, depending on your supervisory authority’s concept and your company’s risk category, you may only be audited every four years in the future while being required to file self-declaration forms in between.
3. Demonstrate timely implementation of FinSA and FinIA requirements.
The Swiss Financial Services Act (FinSA) and the Swiss Financial Institutions Act (FinIA) entered into force on 1 January 2020 and included transition periods until 31 December 2021 and 31 December 2022, respectively. During your first regulatory audit, you need to be able to demonstrate the timely implementation of the new requirements before the transition periods expired. For example, you must show that you have segmented your clients, joined an ombudsman, labelled your marketing materials accordingly, disclosed your economic interests with affiliated companies, and informed your clients in a timely manner.
Having this information readily available before the audit begins will save considerable time and energy during the auditing process.
4. Make sure all electronic data is available and accessible.
During the audit, your auditor will ask for lots of information, including statistical queries. So it’s essential to make sure all your data is highly accessible. And we mean everything – from account holders, beneficial owners, and their domiciles to service types, client risk categories, transactions with increased risks and how they are monitored, and asset under management per investment strategy. You’ll also want to be able to quickly illustrate your organisation’s setup and capital adequacy requirements and provide an overview of your service suppliers (including contact information, roles, risk management system, etc.).
The scope and granularity of the statistical data needed for the regulatory audit may deviate from the level of detail that was required for your FINMA licence application. Be aware of this and prepare accordingly.
On paper is not in practice
At Marcuard Heritage, we saw a FINMA licence as a competitive advantage right from the start, which is why we applied early and received our portfolio manager licence in September 2021. We learned a lot during the application process. We also came together as a team not just to apply for the licence but also to establish the “appropriate” organisation to implement the requirements. That time and effort paid off when our first regulatory audit came precisely one year later, in September 2022.
After obtaining your licence, don’t assume the hard work is over. Instead, build on what you learned during the application process and lay the foundation for a robust organisation that will pass the real test.
If you’re looking for a professional home built on a solid FINMA-compliant foundation, not to mention solid principles, and an independent model that drives you to excel, get in touch. We’d love to hear from you.