It’s hard to get an AIF-license, much easier to lose it!
Compliance, risk management and internal control should be a regular item on the agenda the AIF Managers Board- and management meetings
Getting a license as a manager, either under AIF, UCITS or also EuVECA legislation is a demanding process. The AIFMD turned into national law, the Securities Trading Act and the EuVeca Regulation (not yet law in Norway) sets a high standard for internal control and compliance.
Experience shows that those who lose a license issued by the Financial Supervisory Authority often do so because they do not have sufficient internal control procedures, or that what they have on paper is not observed in practice.
Four questions about intern control procedures of managers of collective investment schemes
We have formulated four questions relating to the operation of your business. If you have clear answers to these you are probably on relatively safe ground in relation to the requirements of internal control. If the questions seem difficult, your business may well suffer deficiencies in the internal control systems and you need to take action.
Does the company focus on the right things in relation to internal control and risk management?
The legislator has had a particular focus on protecting investors against products they do not understand or which for other reasons do not seem suitable, and on preventing money laundering. These two areas must be covered by clear guidelines and good operating procedures and control documents.
The Norwegian laws and regulations reflect international requirements, important directives are the AIFMD, MIFID and FATCA. There are differences in the scope of internal control and risk depending on the type of fund activity undertaken, but in general the requirements are extensive.
The correct level of formal internal control system is found when matching the statutory requirements with the risk inherent in the company’s operation. Several resolutions in recent years have resulted in tighter regulation of fund managers’ business. In addition there are requirements in the regulation on risk management and internal controls (No. Forskrift om risikostyring og intern kontroll) that focus on adequate management of the businesses underlying nature and the risks involved.
Managers should have undertaken an evaluation of needs, design, implementation and streamlining of their business specific risk management and internal control systems.
Do you have an internal control system that meets the legislator’s requirements?
Internal control systems for managers can be bought over the counter. The challenge is that these systems are designed for the most complex organisations which will have risks that may not at all be present in the operation of smaller companies. On the other hand, the standard system may be too general in some areas where it should be more focused. An ill-fitting system will be expensive to operate, it will not add value and may not offer the control it should. Leave it on the shelf – lesson learned, you need to spend some time to design your internal control system to fit your business organisation.
Have the Board and management ensured that the internal control system is known and in-use in the company?
While all fund managers may answer that they have a significant focus on internal control, they may not have formalised the operation of the internal control system. It may not be written down and evidence that internal controls have been exercised may not be documented. This is not acceptable under the license issued by the Financial Supervisory Authority (No. Finanstilsynet) and will put the firms license in jeopardy.
A good internal control system is not only established, it is implemented. The latter is the hard part. Implementation means that the internal control system must be known within the organization, it must be in use – and proof that it is in use must be available for later control. An internal control system that looks great on paper but which is not part of the daily operation of the company has no value.
A properly implemented internal control system ensures secures the operating license of the fund manager
The implementation of the internal control system involves everyone in the company. Internal controls must be operationalised through clear instructions, it must be clear to all which function and ultimately who, is responsible for certain actions and controls.
Responsibility for internal control should be included in job descriptions and role descriptions. Checklists which requires ticking off when certain actions are performed and before moving on to the next stage, will often play an important part in the internal control system. Check done after the fact are not sufficient nor appropriate.
Have the Board ensured that there is a person responsible for the internal control system?
The Compliance officer is responsible for ensuring that operations of the company comply with the requirements set out in laws and regulations. For smaller fund managers it will be acceptable to combine this function with the risk management function.
Commitment from the top is necessary in order to instill in the business organisation the discipline required to implement a proper internal control system and to maintain its use at all levels of the organisation and at all times. When the company is working under stress, is not the time to put the internal control system aside – on the contrary, that is the time when it is most important to follow procedure.
Compliance, risk management and internal control should be a regular item on the meetings of the Board and of the management of the company. Such focus will contribute to lower risk, greater control and increased value.
To implement internal control procedures for fund managers
To implement an internal control system is change management in practice. In the toolbox is training activities, workshops, job descriptions, guidelines and checklists, support and control and feedback.
Everyone in the organization must have been presented with- and understood their responsibilities. One’s own function and responsibilities must be understood in detail, but at the same time one must have general knowledge of the whole system. Once everything is in place, you may look in the mirror and reflect that “yes, I have control and the business do not run the risk of losing its license.”
Link til: Produktark for AIFM Intern kontroll system på Permians hjemmeside
Oslo, 28.8.2015 Ben Guren