Key Notes Introduction Background What is a Compliance Monitoring Programme? Practical Implementation Risk Adjustment Breaches Register Branch Office Visits Format GUIDANCE NOTE GN0014/07 COMPLIANCE MONITORING PROGRAMMES Introduction This Guidance Note is published to provide guidance to NZX Market Participants in relation to the implementation of industry good practice for Market Participants compliance arrangements. Background NZX has observed during the course of recent onsite visits at Market Participants that several participants have begun to formulate and implement Compliance Monitoring Programmes ( CMP ). This in a large part stems from the participant s determination to demonstrate compliance with Participant Rule 3.11.1, as well as to document and clarify their compliance arrangements. 14 June 2007 Reissued April 2011 Disclaimer This Guidance Note has been issued by NZX to promote market certainty and assist market participants. This Guidance Note sets out NZX s general approach to the subject, but is not to be regarded as a definitive statement of the application of the Rules in every situation. NZX may replace Guidance Notes and Practice Notes at any time and a Market Participant should ensure it has the most recent versions of these documents. Guidance Notes do not constitute legal advice. NZX recommends that Market Participants take advice from qualified persons. As a consequence of this emerging practice, NZX has determined that Market Participants will benefit from guidance in respect of good broking practice in relation to the formulation and implementation of Compliance Monitoring Programmes. This note sets out this guidance. Under Rule 3.11.1 each Market Participant must have a Compliance Manager who is accountable to the Managing Principal (or Responsible Executive where appropriate) for: (a) (b) (c) Overseeing the effective control of the Market Participant s Broking Business; Ensuring that the obligations of the Market Participant as set out in the Rules, Guidance Notes, and any direction set out from time to time by NZX are met and that the Market Participant is observing Good Broking Practice; and Reporting all breaches and suspected breaches of the Rules, Guidance Notes and any directions given from time to time by NZX including any failure by that Market Participant to observe Good Broking Practice, to that Market Participant s Managing Principal or Responsible executive (whichever is applicable).
A CMP provides the basis for effectively demonstrating how the Market Participant has met/is meeting these obligations. NZX considers that a CMP based approach offers the following benefits: (1) It provides a cohesive framework and overview of a firm s compliance arrangements; (2) The output from a CMP allows firms to evidence that they have effectively discharged their regulatory obligations, as well as providing the basis for regular compliance inputs into board reporting and/or compliance committees; (3) It may ultimately lead to NZX Participant Compliance spending less time onsite as outputs from CMP lead to more efficient inspections; (4) A CMP provides an effective aide-memoire for Compliance Managers work programmes, as well as providing process guidance for alternate arrangements in the event of the Compliance Manager s absence; (5) A working CMP, in conjunction with an effective breaches reporting regime, can provide an early warning to systemic problems; and (6) A correctly formulated CMP can reduce the amount of underlying testing required. What is a Compliance Monitoring Programme? Compliance monitoring is a process that provides for the ongoing validation that controls are in place and functioning as expected. In addition, it provides a process for identifying incidents and modifying inappropriate behaviour. To meet the obligations of Participant Rule 3.11.1, Market Participants are required to address both elements of compliance monitoring. A CMP requires the documentation of monitoring tasks, processes and procedures and documentation of the completion of those tasks within agreed timescales and in accordance with documented policy, in order to provide verification that operational and reporting issues within the business are conducted in accordance with legislative and regulatory requirements. Market Participants should set up programmes commensurate with their individual mix of business activity. There is no one size fits all CMP and unfortunately there is no off the shelf package available. Indeed, NZX believes that the actual process of setting up a programme provides significant benefits to each Market Participant in assessing the regulatory risk characteristics inherent in the performance of its regulated activity. By way of example a working CMP might include: Daily/Weekly CMP The daily/weekly programme might include: testing for unapproved Employee dealing; client order precedence; review of error logs; ensuring that all contract notes have been sent in a timely manner; review of documentation for one-off sales; and daily trade surveillance.
Monthly CMP The monthly programme could include: new Employee induction training; review of all relevant logs and registers; a sample of new account openings; ensuring that all relevant information has been undertaken prior to submitting the monthly NZX Internal Control Checklist; ensuring changes to static data have been correctly authorised; and ensuring custody reconciliations have been performed and checked. Quarterly CMP The quarterly programme could cover: ensuring discretionary reports have been sent in a timely manner and discretionary peer reviews undertaken; training needs reviewed; ensuring the compliance manual has been updated for NZX Rule changes or other legislative changes that impact on the participant; and review of Chinese Walls procedures and system access. Annual CMP The annual programme could include ensuring that: all employee undertakings had been received and filed; sharebrokers licences are in place for all relevant personnel; and the business continuity plan has been updated. The above is not meant to be either exhaustive or prescriptive. NZX regulates a wide range of participants and clearly for larger firms with diverse business streams the appropriate level of compliance monitoring to be undertaken will be greater than for a firm whose sole business is advising clients. As further explained below it is each individual Market Participant s responsibility to devise and tailor a programme that encapsulates and monitors the regulated activities that it undertakes. Practical Implementation A useful starting point to devise a CMP will be the Market Participant s Compliance Manual. A Market Participant s Compliance Manual should be tailored to its individual business. For example, NZX would not expect to see Participant Rules and related procedures to discretionary management of client accounts include within in the Compliance Manual of a Market Participant that only conducts advisory business. The Compliance Manual documents the NZX Participant Rules and any other legislative obligations applicable to that firm in the conduct of its business as well as the procedure it intends to adopt to meet those Rules and obligations. A CMP provides a basis for the internal testing, record keeping and reporting that enables a firm to demonstrate that those obligations are being met and procedures followed. Whilst NZX does not intend to issue specific guidance on the format of a CMP, it would however expect that the programme consist of daily, weekly, monthly, quarterly and annual tasks/processes, which specifically address the relevant timescales for performance of the underlying monitoring activity.
It should also include a description of the testing to be performed, its purpose, and, where sample testing is undertaken, should include the rationale for the determination of the sample size. NZX would also expect that the programme be annotated and supported by evidential documentation to demonstrate the testing has occurred. Check lists and templates may be useful in some instances but evidential documentation must provide an adequate audit trail recording the process/work undertaken by Compliance Managers in the performance of their monitoring. Risk Adjustment One of the benefits of having a CMP identified above is the eventual reduction in compliance work that will be required to be performed on an ongoing basis. In order to achieve this objective, correctly determining the appropriate level of sampling and testing to be undertaken is essential. A working CMP should be adjustable to both the level of business activity being undertaken and the relative risk identified within that activity. By way of example, NZX would expect that a firm s CMP should be adjusted to take account of change within its business. For instance, the opening of a new branch, taking on new Advisors or undertaking a new business activity that leads to an increased risk profile and therefore requires, at least initially, a greater level of compliance monitoring. Market Participants have an obligation to identify and anticipate the regulatory and legal implications that will result from change within their business prior to the undertaking of that activity. A CMP should not be static. Where substantive testing results in no issues being identified on an ongoing basis, confidence in the effectiveness of the controls in place correspondingly increase and the amount of testing can subsequently be reduced. Where findings or issues occur on a regular basis, testing should be increased to determine whether there are systemic control problems in relation to that area, requiring issue elevation and remedial action. Therefore a mechanism for the documenting of breaches of both NZX Participant Rules and the firm s internal process and procedures is an essential component of an effective CMP. Breaches Register Rule 3.11.1(c) establishes that the Compliance Manager has responsibility for the internal reporting of all suspected and actual Participant Rule breaches to the Managing Principal or Responsible Executive (whichever is applicable). Rule 21.7 requires that Market Participants report to NZX all significant Rule breaches. Firms will in part satisfy these requirements by the maintenance of a breaches register. The breaches register must as a minimum record the time and date of the breach, nature of the breach, its seriousness, identify what remedial action has been undertaken and whether a notification to NZX has been made. Issues appearing in the register on a frequent basis will assist Market Participants to identify systemic problems and determine whether notification to NZX is required. NZX Participant Compliance will review the use and maintenance of the register on onsite visits. Branch Office Visits Market Participants should undertake branch office visits as an integral component of the effective compliance oversight of their business. The intended branch office visit programme
should form part of the CMP for those firms who have branch offices and these visits should be undertaken by the firm s Compliance Manager. The format of the branch office visit should be broadly similar to the CMP instituted for the Principal Broking Office with a documented and risk adjusted work programme prepared in advance of the visit and sample testing being performed onsite. The output from the branch visit will form the basis of management reporting. Format The format of a CMP will vary depending on the size and nature of the Market Participant. While NZX does not intend to prescribe a format, it is recommended that a tabular approach is taken to setting out the tests to be performed, their frequency, size and ownership.