Company Service Providers: Building a Compliance Culture
MARCH 09, 2021

A strong and effective governance framework is key to achieving goals and identifying opportunities. It is the foundation upon which Company Service Providers (CSPs) should build their structures.

At Board of Directors’ level this translates into creating a culture of compliance and determining the means with which to embed this culture at all levels of the organisation, setting the tone from the top. On an ongoing basis Boards are responsible to effectively monitor the development of this culture.

Other than complying with relevant local and international regulations (such as GDPR, FATCA, CRS [1]), CSPs are expected to have in place:

  • tailor-made policies and procedures to support the implementation of the Board’s expectations, and clear reporting lines. Work performed by the Compliance and AML/CFT functions should be documented and these functions should report to the Board on a regular basis in line with the nature, scale and complexity of the CSP’s activities; and
  • competent senior management to oversee the operation of control structures. Senior management should have a thorough understanding of the purposes as well as the requirements of the rules applicable to CSPs. Staff should be trained in relation to the CSPs’ procedures to be able to apply them in practice, one such instance being business continuity protocols and regular testing.

CSPs should also have a “three lines of defence” model appropriate to their business profile. The standard three lines of defence model can be summarised as follows:

  1. The first line of defence being those officers and employees who have a direct interface with clients and carry out CSP activities,
  2. The second line of defence being the monitoring and oversight functions of the Compliance and the AML/CFT functions and,
  3. The third line of defence entrusted with assessing the internal controls and the monitoring and oversight in place. In larger or more complex organisations this is generally performed by an internal audit function. Where the Authority determines that it is not necessary to have an internal audit function due to nature, scale and complexity of the business, a strong and effective Compliance function becomes even more critical to the organisation. It should also be pointed out that CSPs remain responsible to assess and monitor the effectiveness of their internal controls, policies and procedures and take the necessary remedial action where deficiencies are identified.

Two of the key tenets of a strong governance framework are accountability and transparency. CSPs are expected to have documented policies and procedures in place identifying who is responsible for what.  Accurate board minutes should be maintained as well as records of any complaints and breaches of laws and regulations. Client agreements detailing the services offered to clients and signed by the CSPs representatives and the client should also be maintained.

CSPs should have clear fee structures in place which are communicated to their clients. Accessibility to records and management of information is paramount – other than maintaining information, CSPs should be able to retrieve it as and when required, allowing for timely reporting to supervisory authorities and providing sufficient and clear information in these reports and during onsite visits performed by the Authority.

In conclusion, the COVID-19 pandemic has demonstrated that CSPs are not immune to business risk.  While the main risk factor for CSPs is money laundering and financing of terrorism, there are other threats to be considered such as ICT and security risk. To harmonise the approach on implementation of technology arrangements, ICT and security risk management and outsourcing arrangements the Authority has recently issued a guidance document which can be found here.


[1] GDPR - General Data Protection Regulation

FATCA - Foreign Account Tax Compliance Act

CRS - Common Reporting Standard