DLT Framework — Guidance Note 6 Corporate Governance

DLT Provider Guidance Notes Corporate Governance

Gibraltar Financial Services Commission Guidance Note 6 2 Introduction The purpose of this guidance note is to provide a DLT Provider, as defined in the Financial Services (Distributed Ledger Technology Providers) Regulations 2020 (the DLT Regulations), with guidance as to the operational, technical and organisational standards expected and in some circumstances required by the GFSC. This guidance note is specifically in respect of regulatory principle 6 of the DLT Regulations (the Regulatory Principle). The Regulatory Principle states that “A DLT Provider must have effective corporate governance arrangements”. This document should be read as an interpretative guidance for a DLT Provider and the examples contained in this documentshould be noted as indicative of good practice by a DLT Provider in connection with the Regulatory Principle. A DLT Provider should note that the GFSC will take this document into account when reviewing a DLT Provider’s practices. The operational standards expected and required by the GFSC of a DLT Provider will vary depending on the size, particular nature, scale or complexity of the DLT Provider’s business. Corporate Governance A DLT Provider will need to implement and maintain good corporate governance arrangements, which will establish the system by which firms are run and business overseen. This includes its structure, processes, culture and strategies and will establish the rules by which authority is exercised and decisions taken and implemented to manage all risk types and exposures. A DLT Provider will need to deliver and maintain a corporate culture consistent with the secure and confident delivery of the Regulatory Principles. Culture Setting the appropriate culture is the responsibility of the DLT Provider’s board and is crucial for good customer outcomes. Directors should lead by example, act with integrity, promote the appropriate culture and ensure it is embedded throughout the organisation. This should be reinforced by the directors’ actions, including how they interact with customers, employees, the GFSC and any other regulatory bodies. The DLT Provider’s board is also responsible for evaluating its culture, good conduct and appropriate behaviour. This includes: • ensuring that the DLT Provider is open and transparent with all its relevant stakeholders, including customers, shareholders and the regulator(s); • ensuring that staff members can raise any matters of concern with senior management and the board;

3 • continually raising any issues surrounding independence and conflicts of interest and ensuring that these are appropriately managed; • ensuring that all concerns in respect of conflicts of interest are appropriately discussed and addressed by the board; and • ensuring that the board and the GFSC are notified where a board member believes their concerns cannot be resolved. Board Structure and Size A DLT Provider should act through an effective board of directors, which is collectively responsible for its success and obligations. The board should have the appropriate balance of skills, experience, independence and knowledge of the business industry to enable them to discharge their respective duties and responsibilities effectively. This should include the qualities and application necessary to decide, formulate and implement strategic and day-to-day policies. A DLT Provider should ensure that its directors collectively possess the necessary skills, experience and knowledge in respect of at least the following matters: • the technical and operational aspects of the DLT Provider; • the markets in which the DLT Provider will operate; • the DLT Provider’s business strategy and business model; the DLT Provider’s system of governance; and the regulatory framework and requirements. The directors must have sufficient experience and knowledge of the business and the necessary authority to detect and deal with any imprudence, dishonesty and/or other irregularities in a DLT Provider. The number of individuals who sit on the board should be commensurate to the size and nature of the business provided always that this number shall not be less than two. Subject to the minimum number of required directors, the board should be of sufficient size that the requirements of the business can be met and the business of a DLT Provider may be duly and properly discharged. In addition, the composition of a DLT Provider’s board should allow for changes to the board’s composition to be managed without undue disruption. All directors should be able to allocate sufficient time to a DLT Provider to discharge their respective responsibilities fully and effectively. The directors shall deliberate all matters relating to a DLT Provider’s business to procure that a proper assessment of the relevant considerations and risks are carried out. A DLT Provider shall hold regular board meetings with a pre-arranged agenda including proper reports from management of a nature appropriate to its size and type of business. Director Responsibilities A DLT Provider’s board should set the firm’s values and standards and ensure that its obligations to its shareholders and others are understood and met. A DLT Provider should clearly designate responsibilities to individual directors on the board. Such responsibilities should include functions relating to the DLT Provider’s business and ongoing compliance Gibraltar Financial Services Commission Guidance Note 6

4 with regulatory requirements. A DLT Provider may wish to establish a committee consisting of specific directors to whom certain functions/oversight shall be designated. Any decisions taken by a DLT Provider’s board, which may materially affect the DLT Provider’s business and/or the DLT Provider’s compliance with its regulatory requirements, should be appropriately documented. Non-Executive Directors A DLT Provider may consider it necessary and appropriate to appoint individuals as non-executive directors. Should a DLT Provider wish to do so, it should apply a detailed and specific procedure for such appointments. Non-executive directors should be kept fully abreast of the DLT Provider’s business in order to allow them to participate in any relevant decision-making processes diligently and in accordance with the non-executive director’s duties to the DLT Provider. Oversight of Executive Management The DLT Provider’s board should: • set the DLT Provider’s strategic direction, offer guidance and obtain advice where needed; • provide constructive challenge to executive management and hold them to account on goals and objectives; • have sufficient understanding of industry and technical discussions to be able to assess the suitability of plans and any documents being discussed; • ensure that it has the processes, controls, reports and information needed to be able to understand and assess the historic and future performance of the DLT Provider; and • ensure that the procedures for managing risk and ensuring compliance with its obligations are appropriate for the size, complexity and business of the DLT Provider. This should extend to the use of internal and external audit as well as outsourced services or specialist skills required for running the business. The DLT Provider’s board should ensure that all function holders are accountable to the board as a whole and provide regular updates on their areas of responsibility. This should extend to ensuring that the DLT Provider’s internal audit is directed in such a way to give the board comfort on the data they are receiving to make governance decisions and for the key controls and processes of the DLT Provider. Organisation Where it forms part of a larger group, a DLT Provider should ensure that its objectives are met and that these are not overridden or biased towards group objectives to the detriment of the DLT Provider. This can be achieved by having sufficient directors who are not part of group management or the group board. Gibraltar Financial Services Commission Guidance Note 6

5 Independence Conflicts of interest will exist and it is important that these are mitigated. A DLT Provider’s board should ensure that appropriate systems and procedures are put in place to capture and deal with the potential conflicts of interest that may arise from an organisation-wide and individual perspective. As an example, a DLT Provider should avoid the appointment of its managing director as chair of the board. For more details on our expectations regarding conflicts of interest, please refer to Guidance Note 2 on Customer Care. Individual A DLT Provider should assess how many independent non-executive directors are needed to ensure the independence of the DLT Provider from shareholders, groups and service providers. The GFSC expects DLT Providers to be able to explain the basis for the number of independent nonexecutive directors appointed. The following criteria should be considered when assessing the independence of individuals: • any financial or other obligation the individual may have to the DLT Provider or its directors; • whether the individual is or has been employed by the DLT Provider or a group entity in the past and the post(s) held; • whether the individual is (individually or as part of another organisation) or has been a provider of professional services to the DLT Provider in the recent past; • whether the individual is or represents a significant shareholder; • circumstances where the individual has acted as an independent non-executive director of the DLT Provider for extended periods; • any additional remuneration received in addition to the director’s fee, related directorships or shareholdings in the DLT Provider; and • any close business or personal relationship with any of the DLT Provider’s directors or senior employees. Where factors are identified which could suggest threats to independence, the DLT Provider’s board should consider and discuss whether the individuals are indeed independent and document their considerations in the relevant board minutes. Overall A DLT Provider should re-assess the independence and effectiveness of its board and the individuals on the board periodically. It should document and minute how it has considered these issues and has applied good practice. Mind and Management The GFSC has established criteria for Mind and Management that all applicants, including a DLT Provider, must satisfy. A DLT Provider must ensure that the Mind and Management of the business is conducted from its office in Gibraltar, and that the firm can evidence this. Where firms provide services to customers in jurisdictions Gibraltar Financial Services Commission Guidance Note 6

6 outside Gibraltar, the firm should be able to continue to demonstrate that its Gibraltar office complies with the GFSC’s Mind and Management requirements. The GFSC will consider this criteria when assessing the extent to which an applicant has complied (or ought to comply) with this guidance note, taking into account the particular circumstances of a DLT Provider and its business model. Four-Eyes Principle There is an overriding requirement for two designated individuals of a DLT Provider to carefully review and consider all aspects of the business of the DLT Provider on an ongoing basis, to minimise the risk of error, poor judgement and/or oversight, and to ensure prudent consideration of all matters relevant to the operations of the DLT Provider’s business. Both individuals must demonstrate the qualities and application necessary to influence strategy, day￾today policies and their implementation, and both must actually do so in practice. Both persons' judgement must be engaged in order that major errors leading to difficulties for the business as a whole are less likely to occur. Further, they must have sufficient experience and knowledge of the business and the necessary authority to detect and deal with any imprudence, dishonesty or other irregularities in the firm. In determining whether a firm meets the four-eyes principle, the GFSC will consider: • the seniority and authority of the persons; and • whether the individuals are conducting their roles on a day-to-day basis within Gibraltar. A non-executive director, for example, would be automatically excluded from performing this role. Similarly, non-resident executive directors or non-resident executive managers would normally fail to meet this requirement. A person who is permanently employed in Gibraltar and discharges that employment in Gibraltar but resides in close proximity in Spain, will, for the purposes of this criterion, be considered “resident”. The GFSC will consider, on a case-by-case basis, representations from a DLT Provider, to appoint a non-resident. The DLT Provider will need to satisfy the GFSC that the individual will still be able to fulfil their obligations. Performance Reviews and Succession Planning A DLT Provider’s board should consider its performance and that of its committees and members on an annual basis, assessing the contribution of individual directors and the ability to interact and work as a team. It would be appropriate for the chair of the board to lead on this in conjunction with independent non-executive directors where necessary. Board members should engage with the process and consider any feedback or development needs identified. Succession planning should be considered well in advance and should allow for periodic refreshment of the Board to avoid independence issues arising and to allow new skills and experience to be brought in where needed. Gibraltar Financial Services Commission Guidance Note 6

7 Resource and Time Availability A DLT Provider’s board should ensure, as a collective and when making individual appointments, that its members will have sufficient time and support to carry out their responsibilities. Prior to making an appointment, the board should assess the relevant skills and time availability of the individuals being considered against the responsibilities that will accompany the post. Assessments should then be undertaken periodically, (at least on an annual basis), to ensure that individuals can continue to fulfil the roles to which they were appointed. Compliance A DLT Provider should take all reasonable steps, including the establishment and maintenance of appropriate systems, processes and procedures, to ensure that its officers, employees and other representatives are aware of their obligations, and that they act in conformity with them. A DLT Provider should designate an appropriately skilled and experienced person as its compliance officer. The DLT Provider may delegate the compliance function to a third-party service provider provided the standards of the delegate and the requirement for oversight set out in the “Outsourcing” section below are satisfied. The DLT Provider will retain ultimate responsibility for the function. Servers There is no specific requirement for a DLT Provider to have its technology or servers physically located in Gibraltar. Similarly, a DLT Provider will not ordinarily be required to have its intellectual property held in Gibraltar, as this may be held by an affiliate company outside Gibraltar. A DLT Provider will be able to use cloud services to host its business platforms and this can be outsourced to reputable and secure cloud service providers locally or outside Gibraltar so long as the DLT Provider can demonstrate it has access to, and adequate oversight over, cloud storage and processing. A DLT Provider should ensure that it has access to all relevant records, and can provide access to the GFSC on demand, at all times and have arrangements in place in the event of failure of primary record storage systems. Accountability Supervisory Information Capture Return A DLT Provider will be required to submit a Supervisory Information Capture Return (SICR) on an annual basis. SICR will seek confirmation and/or further details on certain functions, operations, products and services carried out by the DLT Provider. SICR will provide the GFSC with information on how the business is doing generally, whether the volume of the business is increasing or decreasing, the key risks faced, how these risks are being mitigated and what effect this may be having on the DLT Provider. SICR is also an opportunity for the DLT Provider to confirm it has been complying with the DLT Regulatory Principles on an ongoing basis. Gibraltar Financial Services Commission Guidance Note 6

8 Reports by exception A DLT Provider’s board should provide a report to the GFSC addressing any notable matters that have arisen during operations, including but not limited to: • governance issues; • customer complaints; • systems failures or attacks; • business interruptions; • significant business challenges; and • any business systemic or industry risks and how these issues have been or are being addressed. Relationship with Regulator A DLT Provider will need to have an open, cooperative and transparent relationship with the GFSC and other regulators and must disclose to them any matter of which the regulator would reasonably expect notice. A DLT Provider will need to notify the GFSC of any proposed changes to its shareholding structure, board of directors and/or any material changes and/or risks to the business at the earliest possible opportunity, including but not limited to, any changes that ought reasonably to have formed part of a DLT Provider’s application. Outsourcing A DLT Provider may outsource certain services and, if the DLT Provider wishes to do so, it should apply fit and proper procedures in assessing that service provider’s ability to perform the required obligations. A DLT Provider should designate a director within the company with overall responsibility for any outsourced function. The designated director will need to possess sufficient knowledge and experience regarding the outsourced function to be able to challenge the performance and results of the service provider. A DLT Provider may also outsource certain services to affiliate companies within a group structure. The entity responsible for fulfilling the governance requirements at group level should document which functions relate to which legal entity within the corporate group structure and ensure that the performance of the key functions is not impaired by such arrangements. A DLT Provider will retain ultimate responsibility for any outsourced functions. Further information on the GFSC’s expectations around outsourcing can be found here. Gibraltar Financial Services Commission Guidance Note 6

Published by: Gibraltar Financial Services Commission PO Box 940 Suite 3, Ground Floor Atlantic Suites Europort Avenue Gibraltar www.gfsc.gi © 2020 Gibraltar Financial Services Commission