Minimum Requirements for Risk Management Framework of Licensed Capital Markets Intermediaries in Fiji

1 Reserve Bank of Fiji Capital Markets Supervision Policy Statement No. 11 MINIMUM REQUIREMENTS FOR RISK MANAGEMENT FRAMEWORK OF LICENSED CAPITAL MARKETS INTERMEDIARIES IN FIJI NOTICE TO HOLDERS OF SECURITIES INDUSTRY LICENCE Reserve Bank of Fiji May 2023

2 PART I: PRELIMINARY 1.0 Introduction 1.1 This Policy outlines the Reserve Bank’s minimum requirements for risk management for the capital markets industry and is issued pursuant to section 3(1) (a) of the Reserve Bank of Fiji (Capital Markets and Securities Industry) Regulations 2015. 1.2 For the purpose of this policy, the term “capital markets intermediaries” (CMIs) refers to the following securities industry licence holders; (i) Securities Exchange; (ii) Broker/Dealer – Body Corporate; and (iii) Manager of a Managed Investment Scheme. 1.3 In developing the minimum requirements of this policy, reference has been made to the International Organization of Securities Commissions Principles, the International Standard 31000: Risk Management – Guidelines and best practices. 2.0 Objective of the Policy 2.1 The objective of this policy is to ensure that CMIs have in place a comprehensive and effective risk management framework that identifies, measures, monitors and controls risks, commensurate with the size, nature and complexity of its business operations. PART II: MINIMUM REQUIREMENTS 3.0 Risk Management Framework 3.1 The board of a licensed CMI is ultimately responsible for the sound and prudent management of the CMI’s Risk Management Framework (RMF). A licensed CMI must establish and maintain an effective RMF that identifies, measures, monitors, and controls risks, commensurate with the size, nature and complexity of its business operations. 3.2 The RMF includes all structures, systems, policies, processes, risk management strategy, risk culture and people that the CMI uses for its risk identification, measurement and assessment, monitoring, mitigation, control and reporting of risk. 4.0 Risk Culture 4.1 CMIs must adopt and maintain an effective risk culture, as part of its RMF through policies, communication and training, and should include an adequate ‘tone from the top’ that fosters ethical and responsible business behaviour and attitude towards risk management. 4.2 The risk culture should be communicated and implemented effectively across all levels within the CMI and that all staff responsible for the risk management process must be fully aware of it and be held accountable for their actions. 4.3 A licensed CMI must develop appropriate processes to evaluate the current state of the risk culture of the CMI, for example, by means of self-assessment techniques or internal

3 surveys, and where deficiencies in risk cultures are noted, the CMI should adopt well defined and timely actions to address these deficiencies. 5.0 Risk Management Strategy 5.1 A licensed CMI must adopt and implement a well-documented Risk Management Strategy (RMS) that is approved by its board, reflecting the CMI’s approach on how it identifies, measures, monitors, reports and controls or mitigates the material risks of its operation. Moreover, the RMS should provide details on the policies and procedures for the identification, measurement, monitoring, reporting and controlling of risk. 5 . 2 The RMS must be accessible and communicated to all staff on a regular basis and any amendment to the RMS must be approved by the board. 6.0 Risk Management Policy 6.1 As part of its RMF, a licensed CMI must adopt and implement a well-documented policy that outlines the CMI’s approach in managing risk and the process involved. 6.2 The policy must be approved by the board, accessible and communicated to all staff on a regular basis and reviewed at least annually. Any amendment to the policy must be approved by the board. 6.3 The policy must include, at a minimum, the following: a. clearly defined roles, responsibilities and reporting structure; b. clearly defined risks, risk appetite and tolerance level for the CMI; c. processes for the identification, assessment, mitigation, monitoring and reporting of risks; d. clear adequate controls for the management of risks; e. processes that ensure compliance with all applicable laws and prudential regulatory requirements; and f. processes that ensure adequate oversight of the risk management function. 7.0 Roles and Responsibilities of Board 7.1 The responsibilities of the board include, but are not limited to: a. promoting a strong risk culture that is communicated across all levels; b. determining risk appetite and tolerance levels that are communicated to all staff; c. ensuring that a system is in place that adequately manages risks; d. ensuring the CMI is structured appropriately and has an adequate internal control; e. approving policies, procedures and standards of conduct for the evaluation and management of risks; f. ensuring proper due diligence is undertaken by senior management prior to outsourcing any function; and g. ensuring the risk management policy is implemented and maintained by senior management. 8.0 Roles and Responsibilities of Senior Management 8.1 The responsibilities of the senior management include, but are not limited to: a. implementing risk appetite and tolerance levels, strategies and policies;

4 b. promoting, together with the board, a strong risk culture across all levels; c. maintaining appropriate standards of conduct and adequate internal control; d. ensuring implementation and compliance to risk management policies, procedures, regulations and other relevant laws; e. monitoring compliance with all applicable laws, prudential regulatory requirements and internal risk management policies; f. providing advice on changes in regulatory, legal or market conditions that may impact the CMI’s operations; g. managing risks associated with the business; h. developing strategies, policies and procedures that identify, measure, manage and monitor risks; and i. providing regular and ad hoc submissions of risk management reports to the board. 9.0 Roles and Responsibilities of the Risk Management Function 9.1 In line with section 9 of the Prudential Supervision Policy Statement No: 1, a CMI must establish a risk management function (function) that is independent and have direct access to the board1 . 9.2 The role of the function is to assist the board and senior management to develop, implement, and maintain the risk management framework. 9.3 The responsibilities of the function include, but are not limited to: a. assisting senior management in developing the risk management framework; b. providing report on incidences of risk, breaches of risk management policy and processes to the board and/or senior management; c. identifying and analysing potential risks and the impact of losses to the CMI’s operations; d. driving and strengthening risk culture in the CMI and managing risks proactively through best practices; e. maintaining a risk register as part of its risk management process; and f. providing regular reports on the performance of the function to the board. 9.4 For CMIs that may find section 9.1 not feasible, the function’s responsibilities may be incorporated into a single senior position2 . 10.0 Risk Identification, Assessment, Measurement, Mitigation and Controls 10.1 A licensed CMI must have in place documented processes that identify, measure and assess risks that could adversely affect its operations, and must establish and maintain adequate control mechanisms to mitigate and control identified risks. 10.2 A licensed CMI must ensure that its risk management framework addresses the following types of risks: a. operational risk; b. strategic risk; c. investment risk;

1 While the requirements under section 9 of the PSPS 1 applies to licence holders of securities exchange companies and management companies of managed investment schemes, the requirements under section 9 of this policy extends to broker/dealer – body corporate, securities exchange companies and management companies of managed investment schemes. 2 The position may be referred to as a Chief Risk Officer, Risk Manager, Risk and Compliance Manager, Risk and Compliance Officer.

5 d. market risk; e. credit risk; f. related party transaction risk; g. liquidity risk; and h. any other significant risk that may arise from time to time. 10.3 The control mechanisms must be independent, quantifiable, audited and include at a minimum, the following: a. appropriate segregation of duties; b. clearly defined roles and responsibilities; and c. clearly defined verification and approval processes, authorisation and reporting lines. 11.0 Monitoring and Reporting Risk 11.1 A licensed CMI must establish an effective monitoring process for the early detection of risk, and adopt and maintain an effective and timely reporting process for the escalation of risk management matters to the senior management and board. 11.2 The CMI must ensure that data used for reporting are complete and accurate, and must notify the Reserve Bank of any material risk incident, and provide any other information that maybe requested by the Reserve Bank. 12.0 Management Information System 12.1 A licensed CMI must have an accurate, informative, and timely management information system to help measure, assess, manage and facilitate the reporting of risk. 12.2 A licensed CMI must appropriately document its disaster recovery plan and business continuity procedures to manage risks associated with system interruption or data loss, and must ensure that appropriate oversight, data security review and proper backup arrangements of data are regularly performed. 13.0 Review of the Risk Management Processes and Controls 13.1 A licensed CMI must have in place a documented process for the regular review of the risk management processes and control mechanisms to evaluate its effectiveness. 13.2 The review should encompass all aspects of the risk management process and controls to ensure that processes and controls are effective and efficient. The review should also obtain information on how to improve the current processes and controls, lesson learnt from risk events and identify emerging risks. 13.3 In the event where deficiencies in the processes and controls are noted during the review, the CMI should adopt well defined and timely actions to address these deficiencies. 13.4 The result of the review should be recorded and reported to the board. The Reserve Bank must be consulted in the event where the review noted a significant development.3

3 Examples of such development include: establishment of new roles, major upgrade to the operations and controls of the capital markets intermediary.

6 PART III OVERSIGHT AND IMPLEMENTATION ARRANGEMENTS 14.0 Oversight by the Reserve Bank of Fiji 14.1 For the purpose of this Policy, each CMI must provide to the Reserve Bank a copy of its Risk Management Policy within six months after the implementation of this Policy. In the event of major changes made to the Risk Management policy, a copy of the revised policy must be submitted to the Reserve Bank within 30 days after the changes have been approved by the board. 14.2 The Reserve Bank will assess the compliance of each CMI with the requirements of this Policy in the normal course of its supervision. 14.3 A licensed CMI that fails to comply with the requirements of this Policy will be subject to sanctions as specified in Section 4 of the Reserve Bank of Fiji (Capital Markets and Securities Industry) Regulations 2015. 14.4 The Reserve Bank may adjust or exclude a specific requirement in this Policy by providing a written notice. 15.0 Implementation Arrangements 15.1 This Policy applies to the securities industry licence holders of Securities Exchange, Broker/Dealer – Body Corporate and management companies of Managed Investment Schemes and becomes effective from 01 June 2023. 15.2 Full compliance is required within 12 months from the effective date, and will be reviewed as deemed necessary. Reserve Bank of Fiji May 2023

7 Appendix 1 Definition: Board: means the board of directors of the licensed capital markets intermediary. Control Mechanisms: means the processes and procedures that the licensed capital markets intermediary puts in place to ensure that the identified risks are properly managed. Credit Risk: means the risk that a counterparty will fail to perform fully its financial obligations. It includes the risk of default on a loan or bond obligation, and the risk of a guarantor failing to meet its obligations. Investment Risk: means the potential loss in the value of investments made by a capital markets intermediary. Operational Risk: means the risk of loss resulting from inadequate or failed internal processes, people and system or from external events. Liquidity Risk: means the risk that a capital markets intermediary will be unable to liquidate a particular financial instrument at or near its market value because of a lack of depth or disruption in the market for that instrument. CMI: means the following securities industry licence holders - Securities Exchange; Broker/Dealer – Body Corporate; and Manager of a Managed Investment Scheme. Market Risk: means the potential for losses arising from changes in the value or price of an asset, such as those resulting from fluctuations in interest rates, currency exchange rates, stock prices and commodity prices. Material Risk Incident: means those risks that are recognized by senior management that has the potential to materially impact the markets intermediary’s business operations. Related Party Transaction Risk: means the risk associated with transactions with a related party. Risk Appetite: means the aggregate level and types of risk a licensed capital markets intermediary is willing to take, decided in advance and with its risk capacity, to achieve its strategic objectives and business plan. Risk Culture: means a licensed markets intermediary’s norms, attitudes and behaviours related to risk awareness, risk-taking and risk management, and controls that shape decisions on risks. Risk culture influences the decisions of management and employees during the day￾to-day activities and has an impact on the risk they assume. Risk Tolerance: means the acceptance level of the outcome of a risk that a licensed capital markets intermediary is willing to accept, should a risk occur. Risk Strategy: means the structured approach that a licensed capital markets intermediary uses for the management of its risks.

8 Senior Management: means officers holding senior management responsibilities that may materially affect the whole or a substantial part of the licensed capital markets intermediary’s business or financial standing. Strategic Risk: means the risk associated with business decisions.