2026-03-30
Added · Updated
NAMFISA issued Standard No. CIS.S.4.19 to mandate comprehensive governance frameworks for all regulated entities under the Financial Institutions and Markets Act, 2021. The standard requires boards to uphold ethical leadership, maintain balanced composition with independent directors and strict tenure limits, and implement robust conflict of interest, internal audit, and risk management protocols. It further obligates regulated entities to conduct annual performance evaluations, establish comprehensive governance policies, and exercise rigorous oversight of outsourced services to ensure prudent operations.
FINANCIAL INSTITUTIONS AND MARKETS ACT, 2021 COLLECTIVE INVESTMENT SCHEMES GOVERNANCE Standard No. CIS.S.4.19 issued by NAMFISA under sections 410(2)(n) and 410(5)(cc) of the Financial Institutions and Markets Act, 2021
Definitions
(g) “non-executive director” means an individual not involved in the day-to-day management and operations of a regulated entity or its subsidiaries. (2) A party is related to a regulated entity if the party is – (a) an affiliate of, or an associate of, a regulated entity; (b) in a joint venture with the regulated entity; (c) a member of the executive management; (d) designated key persons of the regulated entity; or (e) considered to be controlled by the regulated entity, pursuant to section 3 of the Act. (3) Words and phrases defined in the Act have the same meaning in this Standard, unless the context indicates otherwise, including without limitation, the following: (a) as defined in section 1 of the Act – (i) auditor; (ii) board; (iii) director; (iv) NAMFISA; and (v) principal officer; and (b) as defined in section 168 of the Act – (i) authorised representative; (ii) collective investment scheme; (iii) custodian; (iv) manager; (v) nominee company; and (vi) trustee. Applicability 2. This Standard applies to all regulated entities. 3. This Standard must be read with the provisions in the following Standards: (a) Standard No. GEN.S.10.2 – Fit and Proper Requirements; (b) Standard No. GEN.S.10.8 – Independence of directors, members of a board, trustees, custodians, auditors and of any other person required to be independent under the Act; (c) Standard No. GEN.S.10.9 – Code of Conduct; and (d) Standard No. GEN.S.10.20 – Definition of related party transactions and identifying those that are prohibited under the Act.
PART 1: GOVERNANCE BY THE BOARD Board’s ethical leadership responsibility 4. The board of a regulated entity must – (a) provide effective leadership based on an ethical foundation characterised by the ethical values of responsibility, accountability, fairness and transparency; (b) ensure that the responsibilities of the board are consistent with the overriding objectives of the regulated entity; (c) retain ultimate responsibility for the performance, conduct and governance of the regulated entity, even though certain functions are delegated or outsourced to external service providers, and the board may not abdicate any of its functions and responsibilities; (d) be responsible for developing the regulated entity’s ethical standards, and such standards must inform all practices, procedures, policies and conduct of the regulated entity; (e) consider the effect of its decisions on all key stakeholders of the regulated entity; and (f) ensure that the regulated entity’s ethics performance is assessed, monitored, reported and disclosed in the regulated entity’s annual financial statements. Board composition 5. (1) The board of a regulated entity must consist of executive directors, non-executive directors and independent directors. (2) The board must appoint a chairperson among its directors. (3) The board must have a balanced power structure, with one-third of its members being independent directors. (4) The board must be assisted by a competent, suitably qualified and experienced company secretary. 6. The board of a regulated entity must have necessary qualifications, knowledge, skills and expertise to effectively lead, direct and oversee the regulated entity’s business to ensure it is conducted in a sound and prudent manner, and for this purpose – (a) the board must collectively and individually have, and continue to maintain, including through training, necessary skills, knowledge and understanding of the regulated entity’s business to be able to fulfil their roles; (b) the board must have knowledge and skills required for effectively governing a regulated entity, finance, accounting, the role of control functions, investment analysis and portfolio management, and obligations relating to fair treatment of customers; and (c) while certain areas of expertise may lie in some but not all members, the collective board must have an adequate spread and level of relevant competencies and understanding as appropriate to the regulated entity’s business.
(a) is not an employee nor been employed by the regulated entity or related party in any board capacity or executive management within the preceding three years; (b) is not associated to an adviser or consultant to the regulated entity; (c) is not a material customer or supplier of the regulated entity or has a personal service contract(s) with the regulated entity or a member of the regulated entity’s executive management; (d) has no material association or interest with the regulated entity or its related parties that could impair independent judgment; (e) is not a recipient of material financial contributions or benefits from the regulated entity that could compromise independence; (f) has not had any business relationship with the regulated entity (other than service as a director) for which the regulated entity has been required to make disclosure within the preceding three years; (g) is not employed by a public listed company or an unlisted company at which an executive officer of the regulated entity serves as a director; (h) is not a close family member of any person described in paragraphs (a) to (g); or (i) has not had any of the relationships described in paragraphs (a) to (g) with any affiliate of the regulated entity. 14. An independent director must not be an employee of a regulated entity or an employee of a related party. Orientation and training of directors 15. New directors must, at the expense of the regulated entity, receive training on both the legislative, regulatory and governance principles to equip them to effectively carry out their functions as directors. 16. The board must seek to enhance its knowledge, where relevant, via appropriate training and training programmes that meet the specific needs of the regulated entity and the individual directors, as may be identified during the annual individual directors’ performance evaluation. 17. Directors must receive regular briefings on matters relevant to the business of the regulated entity, changes in risks and laws applicable to the business of the regulated entity, including accounting standards and policies, and the environment in which it operates. Performance evaluation of board 18. The board must, at least annually, review its own performance to ascertain whether board members collectively and individually remain effective in discharging the respective roles and responsibilities assigned to them and identify opportunities to improve the performance of the board. 19. The board must implement appropriate measures to address any identified inadequacies, including any training programmes for continuous development of board members. 20. Subject to the Act, the board must ensure that –
(a) the evaluation of the board, its committees and individual directors is performed annually against the board’s determined roles, functions, duties and performance criteria, as well as those for members of board committees; (b) the past performance as a board member must be taken into account when directors are nominated for re-appointment or re-election; (c) evaluations must be conducted by the chairperson who must ensure that directors know that they will be subject to evaluation, that they understand the criteria used for evaluation and that they understand the evaluation procedures that will be followed; (d) the board, except the principal officer, must evaluate the chairperson’s performance; and (e) the performance of the principal officer is evaluated at least annually. 21. The board may consider the use of external expertise from time to time to undertake its performance assessment where appropriate to enhance the objectivity and integrity of that assessment process. Internal audit 22. The board must consider whether the structure and operations of the regulated entity warrant the establishment of an internal audit function, which may be provided at the level of the entity or at group level. 23. (1) Where the board decides to introduce an internal audit function, the board must ensure that - (a) there is an effective risk based internal audit function; (b) in the event that the internal audit function is outsourced, the board is ultimately responsible to oversee, manage, inform and take accountability for the effective functioning of the outsourced internal audit function; (c) the board is ultimately responsible for the appointment and performance assessment of the head of internal audit; (d) internal audit must pursue a risk based approach to planning as opposed to a compliance based approach that is limited to evaluation of adherence to procedures; and (e) internal controls must be established not only over financial matters, but also operational, compliance and sustainability matters to prevent, eliminate or manage risks faced by the regulated entity. (2) Where the internal audit function is provided at group level, the board of the entity must satisfy itself that the function has direct and unrestricted access to the entity’s Audit Committee, and that its coverage, scope, and reporting arrangements are appropriate to the entity’s risks and regulatory obligations. Board committees 24. Pursuant to section 398 of the Act, the regulated entity’s board may set up committees necessary to ensure effective oversight of key areas of risk, compliance and strategic importance, including but not limited to –
(a) investment; (b) risk management; (c) ethics; (d) nomination and remuneration; (e) information technology. (f) code of conduct; and (g) succession planning. 25. The terms of reference of a committee of the board must, at a minimum, cover – (a) the composition of the committee; (b) the objectives, purpose and functions of the committee; (c) delegated authorities, including the extent of power to make decisions or recommendations or both; (d) tenure; and (e) reporting mechanism to the board. 26. Every member of a board committee must, as far as is reasonably possible, be suitably skilled and experienced to serve on such committee. Board Policies 27. Pursuant to clause 22, regulated entities must establish and maintain a comprehensive suite of governance policies that reflects its key operational, ethical, regulatory and strategic responsibilities, including but not limited to – (a) investment management; (b) risk management; (c) conflict of interest; (d) complaints management; (e) information technology; Tenure of office 28. (1) To ensure independence and reduce the risk of familiarity, no non-executive director may serve for more than three consecutive terms, and the tenure for one term may not exceed a period of three years. (2) After serving three consecutive terms, a minimum three- year cooling-off period must elapse during which the individual holds no employment, directorship, advisory role, or other significant relationship with the regulated entity, before being eligible for reappointment as a non-executive director. Appointment of external auditor 29. (1) To ensure independence and reduce the risk of familiarity in respect of the auditor of the regulated entity, the auditor must be appointed for a fixed period and –
(a) the auditor may not serve for more than five consecutive years unless otherwise approved by the Regulator; and (b) the auditor must comply with the partner rotation requirements prescribed by the Code of Ethics issued by the International Ethics Standards Board for Accountants. (2) After serving as the auditor for the maximum period of five consecutive years, a minimum period of at least three years must lapse before the same auditor may be appointed again. Rotation and succession 30. The board must set periodic, staggered rotation or tenure limits for directors and committee chairs, to balance fresh perspectives with continuity, retain valuable expertise, and prevent undue concentration of power. Filling of vacancies on the board 31. The board must fill vacancies, inclusive of interim vacancies, required by the rules of the regulated entity within a reasonable time from when the vacancy arose. PART 2: GOVERNANCE OF THE OPERATIONS OF THE REGULATED ENTITY Role of the board in setting the regulated entity strategy 32. The board must be responsible for the determination and approval of the long-term and short-term strategies of the regulated entity and monitor implementation therewith by management or the service provider to whom services have been outsourced, if any. 33. Before approving the strategy, the board must ensure that the strategy is aligned with the Act and any relevant legislation, the purpose or object of the regulated entity, the value drivers of the regulated entity’s business and the legitimate interests and expectations of the regulated entity’s stakeholders. 34. The board must identify key performance and risk areas as well as the associated performance and risk indicators and measures, across key functions and areas of the regulated entity. Internal controls 35. The board must ensure that there are adequate internal controls in place to ensure that all persons and entities with operational and oversight responsibilities act in accordance with the objectives required by the rules of the regulated entity, the Act and any other applicable law. 36. Internal controls must cover all basic organisational and administrative procedures and, depending upon the scale and complexity of the regulated entity, the internal controls must include performance assessment, compensation mechanisms, information systems and processes, risk and compliance management procedures. 37. Appropriate policies guiding the governance and operations must be adopted and implemented by the board. 38. The oversight responsibilities of the board requires that there must be – (a) a regular assessment of the performance of the persons and entities involved in the operations of the regulated entity in terms of service level agreements,
mandates, and performance contracts; (b) a regular review of services and fees and all costs associated with the operations of the regulated entity to ensure that they are appropriate; (c) a regular review of the information processes, operational software systems and accounting and financial reporting systems involved in the operation of the regulated entity; (d) the monitoring and resolution of actual, potential or perceived conflict of interest amongst those involved in the operation of the regulated entity; (e) the protection of confidential information of the regulated entity; and (f) regular review of compliance with regulatory and statutory requirements of the regulated entity. Expert advice 39. Where the board lacks sufficient expertise to make fully informed decisions and to fulfil its responsibilities, it may seek expert advice. 40. The board must satisfy itself that any expert advice obtained is independently given and where the professional gives expert advice in respect of a service provider, the board must satisfy itself that such advice is not compromised by the relationship of that professional or their firm to that service provider. 41. The board must assess and satisfy itself that any expert advice received is of quality, it must verify that all its professional staff and external service providers have adequate qualifications and experience, and the board is not obliged to accept the advice but must consider the appropriateness of such advice. Risk management 42. Subject to the Act – (a) the board may delegate oversight of the regulated entity’s risk management function to an appropriate board committee; and (b) the board must ensure that the frameworks and processes in place to assist in anticipating these risks have the following characteristics: (i) insight - the ability to identify the cause of the risk, where there are multiple causes or root causes that are not immediately obvious; (ii) information - comprehensive information about all aspects of risks and risk sources, especially of financial risks; (iii) incentives - the ability to separate risk origination and risk ownership ensuring proper due diligence and accountability; (iv) instinct - the ability to avoid following the herd when there are systemic and pervasive risks; (v) independence - the ability to view the regulated entity independently from its environment; and (vi) interconnectivity - the ability to identify and understand how risks are related, especially when their relatedness might exacerbate the risk.
regulated entity to enable them to make informed decisions; (b) all regulated entity information is confidential and must not be released to any person unless such person has a lawful right thereto, and where this information is held by a service provider, the service provider will preserve its confidentiality and return the information to the regulated entity when the relationship with the service provider is terminated; (c) the board is the ultimate custodian of the corporate reputation and stakeholder relationships, and the board must take account of and respond to the legitimate interests and expectations of stakeholders in its decision-making; (d) stakeholder interests and expectations, even if not considered warranted or legitimate, must be dealt with and not ignored; and (e) communication with relevant stakeholders, must be responded to promptly by or on behalf of the board and with thoroughness. Information technology governance 54. The regulated entity must understand the strategic importance of information technology and manage the associated risks, benefits and constraints and the responsibility for the information technology function must be assumed by the board. 55. Information technology must be aligned with the performance and sustainability objectives of the regulated entity. 56. The board must ensure that information and information technology assets are managed effectively. 57. Where the administrative function of information technology is outsourced to a service provider, the board must obtain the necessary assurances and satisfy itself that the information technology risks are managed effectively by the service provider in accordance with best practice principles of information technology governance and risk management. 58. The risk or audit function must consider information technology risk as a crucial element of the effective oversight of the risk management of the regulated entity. 59. In understanding and measuring information technology risks, the risk or audit function must understand the regulated entity’s overall exposure to information technology risk from a strategic and business perspective, including the areas of the business that are most dependent on information technology for effective and continual operation. Reporting 60. Reporting channels between all the persons and entities involved in the governance of the regulated entity must be established to ensure the effective and timely transmission of relevant and accurate information. Disclosure 61. The board must disclose relevant information to relevant persons, notably employees, clients, supervisory authorities and auditors, in a clear, accurate and timely manner. Non-compliance 62. NAMFISA may take appropriate enforcement action in terms of Part 6 of Chapter 10 of the Act for non-compliance with this Standard.