Guidance on Competence Assessment

Classification: Restricted Classification: Restricted Guidance on Competence Assessment Approval Date: 31 March 2023 Commencement date: 5 April 2023 Astana, Kazakhstan

Guidance on Competence Assessment 2 Disclaimer This Guidance on Competence Assessment (“Guidance”) has been developed to assist Authorised Persons and applicant firms to understand AFSA’s minimum expectations in regard to competence and capabilities of individuals carrying out or to be authorised or appointed to carry out Controlled or Designated Functions. The Guidance should be read in conjunction with the relevant AIFC Acts. Should anything in this Guidance be in contradiction with any provision of the AIFC Act(s), the provisions of the relevant AIFC Act(s) shall have prevailing force. Any such contradicting statement of this Guidance shall be treated merely as an example of good practice by taken by Authorised Persons in the AIFC. This Guidance does not cover all applicable requirements set out in the relevant AIFC Act(s). The AFSA makes no representations as to accuracy, completeness, correctness or suitability of any information provided herein and must not be liable for any error, omission, inconsistency or irrelevance of any of provisions set out herein. Information in this Guidance must not be deemed, considered or relied upon as legal advice and must not be treated as an equivalent or substitute for a specific advice concerning any individual situation. Any action taken upon the information provided in this Guidance is strictly at your own risk and the AFSA will not be liable for any losses and damages arising directly or indirectly in connection with the use of or reliance on information provided in this Guidance. Defined terms are identified in this Guidance by the capitalisation of the initial letter of a word or of each word in a phrase and are defined in the Constitutional Statute “On the Astana International Financial Centre” (“Constitutional Statute”) and AIFC Glossary (“GLO”). Unless the context otherwise requires, where capitalisation of the initial letter is not used, an expression has its natural meaning.

Guidance on Competence Assessment 3

1. Introduction 1.1. This document sets out the Astana Financial Services Authority’s (the AFSA) Guidance on Competence Assessment (the Guidance). 1.2. The purpose of the Guidance is to assist Authorised Persons and applicant firms to understand AFSA’s minimum expectations in regard to competence and capabilities of individuals carrying out or to be authorised or appointed to carry out Controlled or Designated Functions. 1.3. The Guidance does not constitute an exhaustive list of requirements that might be applicable to the firm’s business operations noting the nature, scale and complexity of the business and should not be regarded as any type of advice. 1.4. This Guidance should be read in conjunction with the following: a) AIFC Financial Services Framework Regulations; b) AIFC General Rules; c) AIFC Anti-Money Laundering Rules; d) AIFC Regulatory Guidance on Fitness and Propriety; and e) Practical Guidance to AIFC Anti-Money Laundering and Counter – Terrorist Financing Framework f) any other relevant AIFC act
2. Statement of Objectives This Guidance sets out the principles and framework under which: a) AFSA assesses the competence of individuals who perform Controlled Functions; b) Authorised Persons assess the competence of individuals who perform Designated Functions; c) Authorised Persons establish training and competence programmes for individuals who perform Controlled or Designated Functions.
3. Scope of Application The Guidance applies to: a) a Person applying to become an Authorised Person b) Authorised Persons (including for FinTech Lab Participants); c) an individual who is approved, or who is proposed to be approved, to perform a Controlled Function; and d) an individual who is appointed, or who is proposed to be appointed, to perform a Designated Function.
4. Principles of conduct for individuals 4.1. The principles for Approved Individuals and Designated Individuals are set in section 4.3 of the AIFC General Rules.

Guidance on Competence Assessment 4 4.2. The principles are a general statement of the standards expected of individuals who perform Controlled Functions or Designated Functions. They relate directly to the conduct of firms’ business by such individuals. 4.3. The principles are not exhaustive of the standards expected. Complying with the principles does not absolve an individual from failing to observe other requirements, and observing such other requirements does not assure compliance with the principles. 4.4. An individual’s failure to comply adequately with the principles is likely to affect the AFSA’s assessment of his or her fitness and propriety. A breach of the principles could form the basis of action by the AFSA. 5. Assessment of individuals for Controlled and Designated Functions 5.1. Competence assessment is both initial and ongoing test of each individual’s competencies as long as the Person continues to hold a Controlled or Designated Function. 5.2. Before making an application to the AFSA for an individual to perform a Controlled Function or appointing an individual to carry on a Designated Function, an Authorised Person or applicant is expected to be satisfied, on reasonable grounds after making appropriate inquiries, that the individual has the competencies required to perform the function. 5.3. In deciding whether an individual has the competencies required to perform a Controlled or Designated Function, an Authorised Person is expected to take into account: a) the specific requirements, characteristics and role of the function: i. requirements: a certain level of knowledge, experience and training an individual should possess to perform the function; ii. characteristics: technical and behavioural skills an individual should possess to perform the function; iii. role: duties, responsibilities and position an individual should possess to perform the function. b) the nature, scale and complexity of the firm’s business, including the products and services that it offers or provides, or proposes to offer or provide; and c) the firm’s customers. 6. Competencies 6.1. The competencies for a Controlled and Designated Function are the elements of skills, knowledge and experience that make an individual competent to perform the function. Individuals having these competence elements strengthen the protection given to customers and stakeholders: a) skills, i.e., what an individual ought to be able to do; b) knowledge, i.e., what an individual ought to know or to have qualifications and training for (qualification may include a membership in a relevant professional body or association); and c) experience, i.e., what an individual has previously done.

Guidance on Competence Assessment 5 6.2. An individual who is to perform a Controlled or Designated Function is expected to have the competencies set out in Schedule 1 for each function. Those functions are the following: a) Senior Executive Officer; b) Director; c) Finance Officer; d) Compliance Officer; e) Approved Actuary; f) Senior Manager; g) Money Laundering Reporting Officer (MLRO); h) Risk Manager; i) Internal Audit Manager. 6.3. In assessing an individual’s competencies against the relevant requirements in Schedule 1, the level of the competencies that the individual must have is expected to be commensurate to the nature and complexity of his or her role in the firm and the activity or activities that the firm conducts. 6.4. An individual who seeks to be assessed as competent to perform the compliance function, for example, for a firm that conducts only limited Regulated Activities may not necessarily have all the skills set out in Schedule 1. In contrast, an individual who seeks to be assessed as competent to perform that function for a firm that conducts complex Regulated Activities would be expected to have all or most of those skills. 6.5. Previously holding the same or similar approved positions is a good demonstration of suitability but does not guarantee an approval. 6.6. Successful applicants for Compliance Officer and MLRO functions may have a range of background and experience, including in compliance and legal teams, as lawyers, and consultants. The experience of an applicant who has only previously worked in a front-line role (and in the absence of other training or experience) is often insufficient to demonstrate that they have the necessary skills and knowledge to establish and operate a compliance function. The nature, scale and complexity of the business should be considered in the course of assessment. 6.7. An Authorised Person or an applicant is expected to ensure whether the individual has the competencies sufficient to apply for the relevant function, taking into account the circumstances of the case and the individual’s role. 6.8. Authorised Persons need to prudently manage the risks that may arise as a result of individuals performing Controlled or Designated Functions. 7. Training and Competence Document and Programme 7.1. An Authorised Person is expected to ensure that the firm’s policies, procedures, systems and controls appropriately and adequately address the training requirements. 7.2. An Authorised Person is expected to be able to provide documentary evidence of its compliance with the requirements relating to the training and competence of individuals who

Guidance on Competence Assessment 6 perform a Controlled or Designated Function. This includes training and competence document and training and competence programme. 7.3. Training and competence document should include: a) brief description of training and competence programme; b) the requirements, characteristics and role of each of the Controlled and Designated Function; c) how the firm is to satisfy itself that each individual who performs a Controlled or Designated Function has, and continues to have, the competencies required to perform the function; d) how the firm is to ensure that it complies, and can demonstrate its compliance, with its training and competence programme; e) how, and in what circumstances, the firm will review the programme and the document, including who is to carry out the review and evaluation and when; and f) how, and in what circumstances, the firm will revise the programme and the document, including who is to approve any revision (revision includes amendment and replacement). 7.4. Training and competence programme should: a) be aligned with the training and competence documents; b) be relevant, updated and appropriately structured; c) include reference to policies, procedures, systems and controls on competence assessment; d) describe continuing professional development plan; e) include review and evaluation of training needs; f) include measures that ensure that individuals who perform a Controlled or Designated Function: i. maintain their competencies; ii. are kept up to date with developments relating to their functions; and iii. are trained on any changes to the firm’s policies, procedures, systems and controls. 7.5. In designing its training and competence programme, the firm should consider all relevant factors, including but not limited to: a) the individuals’ differing needs, experience, skills and abilities; b) their differing roles and levels in the firm; c) the degree of supervision over, or independence exercised by, them; d) the availability of information needed for them to perform their roles; e) the nature, scale and complexity of the firm’s business, including the products and services it offers or provides, and proposes to offer or provide; f) the firm’s customers; g) the outcome of reviews of the individuals’ training and competence; h) any analysis showing areas where training needs to be enhanced; and i) the regulatory system, including any recent, or reasonably expected changes to it. 7.6. An Authorised Person is expected, at regular and appropriate intervals (at least once in 12 months) to review and evaluate its training and competence programme and training and competence document for quality and effectiveness and to ensure that the training needs of individuals performing Controlled or Designated Functions are appropriately met.

Guidance on Competence Assessment 7 7.7. For the purposes of this Guidance, the examples of training shall include but are not limited to: a) academic studies; b) obtaining professional qualifications; c) technical training for roles that are highly technical or that involve constant changes in legislation or regulatory practice; d) in-house training; e) industry literature review.

Guidance on Competence Assessment 8 Schedule 1. Competencies for Controlled and Designated Functions

1. Senior executive function competencies 1.1. Skills i. Assume, alone or with others, overall responsibility for the whole of the business of the firm; ii. Exercise critical judgement; iii. Plan, lead and implement change; iv. Develop the senior management team; v. Manage risk; vi. Demonstrate and encourage strategic thinking; vii. Exhibit organisational leadership; viii.Undertake, in an effective manner, the fiduciary responsibilities of a member of the Governing Body of the firm. 1.2. Knowledge i. Level of knowledge appropriate for the role (which may be demonstrated by having appropriate qualifications); ii. Good knowledge of the principles of sound and effective corporate governance. 1.3. Experience i. Appropriate level of experience relevant to the role.
2. Director (executive) function competencies 2.1. Skills i. Exercise critical judgement; ii. Plan, lead and implement change; iii. Develop staff; iv. Manage risk; v. Demonstrate and encourage strategic thinking; vi. Exhibit organisational leadership; vii. Promote compliance culture of the firm; viii.Undertake, in an effective manner, the fiduciary responsibilities of a member of the Governing Body of the firm. 2.2. Knowledge i. Level of knowledge appropriate for the role (which may be demonstrated by having appropriate qualifications); ii. Good knowledge of the principles of sound and effective corporate governance. 2.3. Experience i. Appropriate level of experience relevant to the role.
3. Director (non-executive) function competencies 3.1. Competence assessments for an individual who performs the non-executive governance function are likely to be less frequent than for an individual with a role in the firm’s day-to-day activities.

Guidance on Competence Assessment 9 3.2. Skills i. Act as a member of the Governing Body of the firm, but without responsibility for the day-to-day direction of its affairs; ii. Perform the role in a way that demonstrates independence within the Governing Body of the firm; iii. Undertake in an effective manner the fiduciary responsibilities of a member of the Governing Body of the firm. 3.3. Knowledge i. Level of knowledge appropriate for the role (which may be demonstrated by having appropriate qualifications); ii. Good knowledge of the principles of sound and effective corporate governance. 3.4. Experience i. Appropriate level of experience relevant to the role. 4. Finance Officer function competencies 4.1. Skills i. Work effectively in or with accountancy and finance to ensure that the firm complies with the AFSA’s prudential requirements; ii. Display high standards of professional ethics in accountancy and finance; iii. Ensure that the firm maintains accounting records, financial accounts and statements and auditors’ reports to the standards, and for the periods, required; iv. Ensure that the firm has its accounts and financial statements examined, reported, audited and filed in a timely manner and in accordance with applicable standards; v. Review accounting systems; vi. Implement external audit procedures. 4.2. Knowledge i. A professional qualification in accounting or finance, unless the firm is satisfied that evidence of such qualification is not required; ii. Membership in an appropriate professional body, unless the firm is satisfied that membership of such a body is not required. 4.3. Experience i. Appropriate level of experience relevant to the role. 5. Compliance Officer function competencies 5.1. Skills i. Develop, communicate and implement a compliance policy; ii. Compliance risk management; iii. Keep up to date with regulatory developments; iv. Support the staff in the firm to maintain compliance and assist the Governing Body in developing the compliance culture of the firm; v. Write and present compliance reports; vi. Consider and advise on the regulatory implications of new business strategies; vii. Plan and deliver compliance training. viii.Maintain an effective relationship with relevant external bodies and respond to requests on consultations.

Guidance on Competence Assessment 10 ix. Deal with complaints regarding non-compliance. x. Identify, investigate and resolve non-compliant activity within the firm. xi. Inform regulatory bodies of breaches in rules and regulations. xii. Develop and monitor the firm’s compliance with its training and competence programme and training and competence document. 5.2. Knowledge i. A recognised compliance oversight function professional qualification at certificate level, or any other qualification that the firm is satisfied is appropriate for the role, unless the firm is satisfied that evidence of the qualification is not required. 5.3. Experience i. Appropriate level of experience relevant to the role. 6. Actuary function competencies 6.1. Skills i. Assume responsibility for monitoring, advising, investigating and reporting on risks facing a firm that is an insurer that materially affect the firm’s ability to meet policyholder liabilities and capital requirements. ii. Evaluate and provide advice regarding, at a minimum, technical provisions, premium and pricing activities, capital adequacy, reinsurance and compliance with related statutory and regulatory requirements. iii. Develop actuarial policies, procedures and controls and take appropriate steps to ensure the implementation of and compliance with those policies, procedures and controls. iv. Produce actuarial reports in accordance with the relevant professional actuarial standards using appropriate actuarial valuation principles, techniques and methodologies. 6.2. Knowledge i. The individual must have a recognised actuarial function professional qualification and membership of an actuarial professional body. 6.3. Experience i. At least 5 years’ experience as an actuary to an insurer that is sufficiently recent to ensure familiarity with current issues in the provision of actuarial services. 7. Senior Manager function competencies 7.1. Skills i. Manage and supervise, alone or with others, one or more elements of the firm’s business relating to its Regulated Activities. 7.2. Knowledge i. Level of knowledge appropriate for the role (which may be demonstrated by having appropriate qualifications). 7.3. Experience i. Appropriate level of experience relevant to the role.

Guidance on Competence Assessment 11 8. MLRO function competencies 8.1. Skills i. Skills necessary for MLRO function are described in Annex 5 “Principal Functions Expected from an MLRO” of the Practical Guidance to AIFC Anti-Money Laundering and Counter – Terrorist Financing Framework. 8.2. Knowledge i. Knowledge necessary for MLRO function is described in Annex 5 “Principal Functions Expected from an MLRO” of the Practical Guidance to AIFC Anti-Money Laundering and Counter – Terrorist Financing Framework. 8.3. Experience i. at least 2 years of work experience in the field of AML/CFT and in the absence of the specified experience, a certificate of training for AML/CFT purposes. 9. Risk management function competencies 9.1. Skills i. Research the firm’s organisation and its requirements to help inform risk strategy and policy. ii. Establish risk strategy and policy. iii. Identify, assess and report risk management information to senior management. iv. Identify available resources to manage risk. v. Facilitate risk action planning. vi. Facilitate business continuity planning and disaster recovery. vii. Develop and maintain external third-party relationships relevant to risk management. viii.Develop and maintain effective risk management communication within the firm. ix. Monitor and evaluate the effectiveness of risk management controls. 9.2. Knowledge i. A recognised risk management function professional qualification, or any other qualification that the firm is satisfied is appropriate for the role, unless the firm is satisfied that the evidence of the qualification is not required. 9.3. Experience i. Appropriate level of experience relevant to the role. 10. Internal audit function competencies 10.1. Skills i. Maintain appropriate, sufficient, and effective internal audit resources to carry out the firm’s audit plan. ii. Establish risk-based audit plans to determine the priorities for internal audit and then communicate and implement the plan. iii. Provide independent assurance and evaluation and contribute to the improvement of governance (including internal controls and risk management) using a systematic and disciplined approach. iv. Evaluate the adequacy and effectiveness of the firm’s policies, procedures, documentation and controls against changing trends and market and economic conditions.

Guidance on Competence Assessment 12 v. Evaluate risk exposures relating to the firm’s governance, operations and information systems regarding: (a) the reliability and integrity of financial and operational information; (b) the effectiveness and efficiency of operations; (c) the safeguarding of assets; and (d) compliance with laws, regulations, policies, procedures and contracts. vi. Report periodically to the firm’s Governing Body on internal audit activities and the progress made in carrying out the firm’s audit charter and risk-based audit plan. vii. Establish a process to monitor the implementation of management action and ensure that implementation has been effective, or that the firm’s senior management have accepted the risk of not taking action. viii.Develop and maintain internal audit records to support audit conclusions. ix. Display high standards of professional ethics. 10.2. Knowledge i. A recognised audit professional qualification, or any other qualification that the firm is satisfied is appropriate for the role, unless the firm is satisfied that evidence of the qualification is not required. ii. Membership of an appropriate professional body, unless the firm is satisfied that membership of such a body is not required. 10.3. Experience i. Appropriate level of experience relevant to the role.