Earlier this year the MFSA issued a detailed Dear CEO letter summarising the findings of two significant thematic reviews: (i) Outsourcing and Third-Party Arrangements, and (ii) Safeguarding of Clients’ Funds. The reviews targeted financial institutions licensed under the Financial Institutions Act and reveal a number of issues detailed below.
Institutions are urged to align their internal practices with the revised Chapter 3 of the Financial Institutions Rulebook (FIR/03) and other applicable frameworks, including BR/14 and EBA Guidelines.
1. Outsourcing and Third-Party Arrangements: Core Observations
Inadequate Assessments and Misclassification
Many institutions were unable to clearly differentiate between outsourcing and third-party service arrangements. Critical functions such as Compliance, Risk, and Internal Audit were often misclassified as non-critical, in contravention of FIR/03 and BR/14.
Intragroup Risks and Governance Failures
Heavy reliance on intra-group outsourcing, often without sufficient risk evaluation or oversight, was flagged. Institutions mistakenly assumed internal arrangements were exempt from the same level of scrutiny applied to third-party outsourcing. Such arrangements are required to meet equivalent standards, including risk assessments, contractual standards and oversight.
Concentration Risks
A concerning trend of concentration emerged, with several entities depending on the same limited pool of outsourced compliance and audit professionals—often for only a few hours per week. The MFSA expressed doubts about the adequacy of such limited engagements, calling for appropriate assessments of the time commitment required for compliance with the applicable framework.
Governance Shortcomings
Oversight responsibilities were frequently misplaced. For example, Compliance Officers overseeing Internal Audit, which directly breaches the governance requirements under FIR/03. Other concerns included UBOs exerting direct control over outsourcing.
2. Safeguarding of Clients’ Funds: Rising Complexity and Risk
Shift from Deposit to Investment Methods
There is a growing tendency for institutions to adopt the investment method for safeguarding client funds. While permissible, this method demands a more nuanced assessment to ensure assets are secure, low-risk, and liquid—criteria detailed under FIR/03 R3-2.9.7 and the CRR. The MFSA requires a thorough assessment on the security and liquidity of the assets chosen.
Concentration in Safeguarding Arrangements
A substantial number of institutions rely on a single safeguarding channel, heightening exposure in case of institutional failure or operational disruption. The MFSA advises maintaining multiple safeguarding arrangements and recommends holding a portion of client funds in credit institutions to preserve liquidity.
Governance Expectations
Institutions must assign an individual who monitors safeguarding compliance and reports periodically to the Board. The Board, in turn, must ensure that access controls (e.g., four-eyes principle) are properly implemented and that UBOs do not engage in authorising safeguarding transactions.
3. FIR/03: A Closer Look at the Revised Rulebook
FIR/03 outlines clear regulatory expectations for financial institutions. Key areas include:
- Outsourcing Assessments: Firms must determine whether arrangements qualify as outsourcing and whether they are critical or important. (FIR/03 R3-2.8.6 to R3-2.8.10).
- Contractual Provisions: Critical outsourcing agreements must include terms such as governing law, termination clauses, permissibility of sub-outsourcing and contingency planning (R3-2.8.41).
- Documentation and Registers: Many institutions lacked comprehensive outsourcing policies and registers. FIR/03 mandates that these be Board-approved, regularly updated, and fully aligned with EBA Guidelines.
- Safeguarding Procedures: Detailed safeguarding policies must cover the methodology for safeguarding, governance, third-party assessments, and reconciliation processes (R3-2.9.17 to R3-2.9.24).
- Audit Obligations: Annual audits of safeguarding arrangements are required (R3-2.9.25), and institutions must notify the MFSA of any material changes to their safeguarding methods (R3-2.9.12).
4. Key Takeaways and MFSA Expectations
The MFSA urges Authorised Persons to:
- Conduct rigorous pre-outsourcing assessments, maintain updated documentation and periodically review their outsourcing arrangements.
- Integrate outsourcing and safeguarding reviews into Internal Audit Plans.
- Maintain and periodically test their business continuity plan with regards to any outsourced functions concerning critical or important functions.
- Diversify safeguarding structures to mitigate concentration risk.
- Allocate adequate time and resources to fulfil regulatory obligations.
The Authority will continue to monitor compliance through supervisory interactions and on-site inspections. Institutions are also reminded to prepare for obligations under the upcoming Digital Operational Resilience Act (DORA), especially regarding ICT-related third-party arrangements.
Conclusion
The MFSA’s thematic review sends a clear message: financial institutions must adopt a proactive, well-documented, and risk-sensitive approach to outsourcing and safeguarding practices. With the regulatory bar rising, particularly under FIR/03, institutions must act swiftly to close identified gaps and ensure long-term resilience and client protection.
For assistance with ensuring compliance with the above requirements, contact Shoulder Compliance on info@shoulder.mt.
