2026-03-30

Added · Updated

NAMFIBA Governance Standard FM.S.3.10

NAMFIBA issued Standard FM.S.3.10 to establish comprehensive governance requirements for all regulated entities under the Financial Institutions and Markets Act, 2021. The standard mandates balanced board composition with independent directors, strict conflict of interest protocols, mandatory internal audit functions, and robust risk management frameworks. It further enforces director tenure limits, regular performance evaluations, and clear separation of oversight and operational duties to ensure ethical leadership and stakeholder protection.

Namibia Financial Institutions Supervisory Authority logo

Namibia

Namibia Financial Institutions Supervisory Authority

Click to view thumbnail

FINANCIAL INSTITUTIONS AND MARKETS ACT, 2021 FINANCIAL MARKETS GOVERNANCE Standard No. FM.S.3.10 issued by NAMFISA under sections 410(2)(n) and 410(4)(t) of the Financial Institutions and Markets Act, 2021


Definitions

  1. (1) In this Standard – (a) “Act” means the Financial Institutions and Markets Act, 2021 (Act No. 2 of 2021), and it must be read with the regulations prescribed under the Act and the standards and other subordinate measures issued by NAMFISA under the Act; (b) “conflict of interest” means a situation which a director, key person, auditor or 3 rd party service provider encounters, while rendering a financial service to a client, if that situation – (i) impairs the objectivity of the director, key person, auditor or 3 rd party service provider in any aspect of rendering the financial service to the client; or (ii) prevents a director, key person, auditor or 3 rd party service provider from rendering the financial service to the client in an unbiased and fair manner or from acting in the best interest of the client; (c) “executive director" means an individual involved in the day-to-day operations of the regulated entity or its subsidiaries; (d) “executive management” means the team of individuals at the highest level of a regulated entity who are involved in the day-to-day responsibilities of managing the regulated entity and who hold specific executive powers conferred onto them, with and by authority of the board of the regulated entity; (e) “immediate family” means (i) a child, including a stepchild, child adopted in terms of any law, custom or tradition; (ii) the spouse; (iii) a parent, stepparent, grandparent, brother or sister; or (iv) a father-in-law, mother-in-law, sister-in law or brother-in-law, of the regulated entity’s employee, director or key person; (f) “key person” means any person responsible for managing or overseeing, either alone or together with another responsible person, the activities of a regulated entity, and includes those individuals or other entities holding more than 20% of a regulated entity’s voting rights;

(g) “non-executive director” means an individual not involved in the day-to-day management and operations of a regulated entity or its subsidiaries; and (h) “regulated entity” means any of the following entities registered under Chapter 3 of the Act: (i) authorised user; (ii) central securities depository; (iii) exchange; (iv) investment manager; (v) linked investment service provider; (vi) nominee company; (vii) participant; (viii) securities advisor; (ix) securities clearing house; (x) securities dealer; (xi) securities ratings agency; (xii) self-regulatory organisation; or (xiii) stockbroker. (2) A party is related to a regulated entity if the party is – (a) an affiliate of, or an associate of, a regulated entity; (b) in a joint venture with the regulated entity; (c) a member of the executive management; (d) designated key persons of the regulated entity; or (e) considered to be controlled by the regulated entity, pursuant to section 3 of the Act. (3) Words and phrases defined in the Act have the same meaning in this Standard, unless the context indicates otherwise, including without limitation, the following: (a) as defined in section 1 of the Act – (i) auditor; (ii) board; (iii) director; (iv) NAMFISA; and (v) principal officer; and (b) as defined in section 78 of the Act – (i) authorised user;

(ii) central securities depository; (iii) exchange; (iv) investment manager; (v) linked investment service provider; (vi) nominee; (vii) participant; (viii) securities advisor; (ix) securities clearing house; (x) securities dealer; (xi) securities rating agency; (xii) self-regulatory organisation; and (xiii) stockbroker. Applicability 2. This Standard applies to all regulated entities. 3. This Standard must be read with the provisions in the following Standards: (a) Standard No. GEN.S.10.2 – Fit and Proper Requirements; (b) Standard No. GEN.S.10.8 – Independence of directors, members of a board, trustees, custodians, auditors and of any other person required to be independent under the Act; (c) Standard No. GEN.S.10.9 – Code of Conduct; and (d) Standard No. GEN.S.10.20 – Definition of related party transactions and identifying those that are prohibited under the Act. PART 1: GOVERNANCE BY THE BOARD Board’s ethical leadership responsibility 4. The board of a regulated entity must – (a) provide effective leadership based on an ethical foundation characterised by the ethical values of responsibility, accountability, fairness and transparency; (b) ensure that the responsibilities of the board are consistent with the overriding objectives of the regulated entity; (c) retain ultimate responsibility for the performance, conduct and governance of the regulated entity, even though certain functions are delegated or outsourced to external service providers, and the board may not abdicate any of its functions and responsibilities; (d) be responsible for developing the regulated entity’s ethical standards, and such standards must inform all practices, procedures, policies and conduct of the regulated entity;

(e) consider the effect of its decisions on all key stakeholders of the regulated entity; and (f) ensure that the regulated entity’s ethics performance is assessed, monitored, reported and disclosed in the regulated entity’s annual financial statements. Board composition 5. (1) The board of a regulated entity must consist of executive directors, non-executive directors and independent directors. (2) The board must appoint a chairperson among its directors. (3) The board must have a balanced power structure, with one-third of its members being independent directors. (4) The board must be assisted by a competent, suitably qualified and experienced company secretary. 6. The board of a regulated entity must have necessary qualifications, knowledge, skills and expertise to effectively lead, direct and oversee the regulated entity’s business to ensure it is conducted in a sound and prudent manner, and for this purpose – (a) the board must collectively and individually have, and continue to maintain, including through training, necessary skills, knowledge and understanding of the regulated entity’s business to be able to fulfil their roles; (b) the board must have knowledge and skills required for effectively governing a regulated entity, finance, accounting, the role of control functions, investment analysis and portfolio management, and obligations relating to fair treatment of customers; and (c) while certain areas of expertise may lie in some but not all members, the collective board must have an adequate spread and level of relevant competencies and understanding as appropriate to the regulated entity’s business. 7. The procedures for the appointment of directors must be formal and transparent, and must be considered by the board as a whole and subject to shareholder approval where applicable. 8. The appointment of each director must be formalised through a written agreement between the regulated entity and the director, setting out the key terms of the appointment. Duties of board chairperson 9. The chairperson of the board must – (a) proactively and impartially lead the board, ensuring that the principle of collective responsibility for board decisions is upheld, while at the same time being aware of the individual duties of board members; (b) be independent within the meaning of this Standard; (c) proactively raise issues of concerns on behalf of the board;

(d) ensure that the performance of the board as a whole, board committees and the principal officer is reviewed and evaluated on a regular basis, and must manage the performance of members of the board; and (e) preside over board meetings and ensure that time in meetings is used productively. Independence and conflict of interest 10. A member of the board, principal officer, employee, officers, auditor and other 3 rd party service providers must report to the board any conflict of interest encountered before the commencement of their duties and/or during the performance of their duties. 11. There must be a clear identification and separation of operational and oversight responsibilities in the governance of the regulated entity, and the segregation of duties must reflect the nature and extent of the governance risks faced by the regulated entity. 12. The board must – (a) demonstrate their independence in the way they exercise any discretion; (b) always consider what is in the best interest of the regulated entity; (c) ensure that appropriate controls exist to – (i) promote the independence and impartiality of the board; (ii) ensure that confidential or privileged information in the possession or under the control of the regulated entity is protected and must only disclose such information as permitted in terms of the law or with the express consent of the relevant person; and (iii) prevent the improper use of privileged or confidential information; and (d) ensure that 3 rd party service providers do not unduly influence the management of the regulated entity. 13. In addition to the meaning assigned to the term “independent” in Standard No. GEN.S.10.8 - The independence of directors, members of a board, trustees, custodians, auditors and of any other person required to be independent under the Act, for purposes of this Standard “independent director” means a director who – (a) is not an employee nor been employed by the regulated entity or related party in any board capacity or executive management within the preceding three years; (b) is not associated to an adviser or consultant to the regulated entity; (c) is not a material customer or supplier of the regulated entity or has a personal service contract(s) with the regulated entity or a member of the regulated entity’s executive management; (d) has no material association or interest with the regulated entity or its related parties that could impair independent judgment; (e) is not a recipient of material financial contributions or benefits from the regulated entity that could compromise independence; (f) has not had any business relationship with the regulated entity (other than service as a director) for which the regulated entity has been required to make disclosure within the preceding three years;

(g) is not employed by a public listed company or an unlisted company at which an executive officer of the regulated entity serves as a director; (h) is not a close family member of any person described in paragraphs (a) to (g); or (i) has not had any of the relationships described in paragraphs (a) to (g) with any affiliate of the regulated entity. 14. An independent director must not be an employee of a regulated entity or an employee of a related party. Orientation and training of directors 15. New directors must, at the expense of the regulated entity, receive training on both the legislative, regulatory and governance principles to equip them to effectively carry out their functions as directors. 16. The board must seek to enhance its knowledge, where relevant, via appropriate training and training programmes that meet the specific needs of the regulated entity and the individual directors, as may be identified during the annual individual directors’ performance evaluation. 17. Directors must receive regular briefings on matters relevant to the business of the regulated entity, changes in risks and laws applicable to the business of the regulated entity, including accounting standards and policies, and the environment in which it operates. Performance evaluation of board 18. The board must, at least annually, review its own performance to ascertain whether board members collectively and individually remain effective in discharging the respective roles and responsibilities assigned to them and identify opportunities to improve the performance of the board. 19. The board must implement appropriate measures to address any identified inadequacies, including any training programmes for continuous development of board members. 20. Subject to the Act, the board must ensure that – (a) the evaluation of the board, its committees and individual directors is performed annually against the board’s determined roles, functions, duties and performance criteria, as well as those for members of board committees; (b) the past performance as a board member must be taken into account when directors are nominated for re-appointment or re-election; (c) evaluations must be conducted by the chairperson who must ensure that directors know that they will be subject to evaluation, that they understand the criteria used for evaluation and that they understand the evaluation procedures that will be followed; (d) the board, except the principal officer, must evaluate the chairperson’s performance; and (e) the performance of the principal officer is evaluated at least annually.

  1. The board may consider the use of external expertise from time to time to undertake its performance assessment where appropriate to enhance the objectivity and integrity of that assessment process. Internal audit
  2. The board must consider whether the structure and operations of the regulated entity warrant the establishment of an internal audit function, which may be provided at the level of the entity or at group level.
  3. (1) Where the board decides to introduce an internal audit function, the board must ensure that - (a) there is an effective risk based internal audit function; (b) in the event that the internal audit function is outsourced, the board is ultimately responsible to oversee, manage, inform and take accountability for the effective functioning of the outsourced internal audit function; (c) the board is ultimately responsible for the appointment and performance assessment of the head of internal audit; (d) internal audit must pursue a risk based approach to planning as opposed to a compliance-based approach that is limited to evaluation of adherence to procedures; and (e) internal controls must be established not only over financial matters, but also operational, compliance and sustainability matters to prevent, eliminate or manage risks faced by the regulated entity. (2) Where the internal audit function is provided at group level, the board of the entity must satisfy itself that the function has direct and unrestricted access to the entity’s Audit Committee, and that its coverage, scope, and reporting arrangements are appropriate to the entity’s risks and regulatory obligations. Board committees
  4. Pursuant to section 398 of the Act, the regulated entity’s board may set up committees necessary to ensure effective oversight of key areas of risk, compliance and strategic importance, including but not limited to – (a) investment; (b) risk management; (c) ethics; (d) nomination and remuneration; (e) information technology. (f) code of conduct; and (g) succession planning.
  5. The terms of reference of a committee of the board must, at a minimum, cover – (a) the composition of the committee; (b) the objectives, purpose and functions of the committee;

(c) delegated authorities, including the extent of power to make decisions or recommendations or both; (d) tenure; and (e) reporting mechanism to the board. 26. Every member of a board committee must, as far as is reasonably possible, be suitably skilled and experienced to serve on such committee. Board Policies 27. Pursuant to clause 22 , regulated entities must establish and maintain a comprehensive suite of governance policies that reflects its key operational, ethical, regulatory and strategic responsibilities, including but not limited to – (a) investment management; (b) risk management; (c) conflict of interest; (d) complaints management; (e) information technology. Tenure of office 28. (1) To ensure independence and reduce the risk of familiarity, no non-executive director may serve for more than three consecutive terms, and the tenure for one term may not exceed a period of three years. (2) After serving three consecutive terms, a minimum three- year cooling-off period must elapse during which the individual holds no employment, directorship, advisory role, or other significant relationship with the regulated entity, before being eligible for re￾appointment as a non-executive director. Appointment of external auditor 29. (1) To ensure independence and reduce the risk of familiarity in respect of the auditor of the regulated entity, the auditor must be appointed for a fixed period and – (a) the auditor may not serve for more than five consecutive years unless otherwise approved by the Regulator; and (b) the auditor must comply with the partner rotation requirements prescribed by the Code of Ethics issued by the International Ethics Standards Board for Accountants. (2) After serving as the auditor for the maximum period of five consecutive years, a minimum period of at least three years must lapse before the same auditor may be appointed again. Rotation and succession 30. The board must set periodic, staggered rotation or tenure limits for directors and committee chairs, to balance fresh perspectives with continuity, retain valuable expertise, and prevent undue concentration of power. Filling of vacancies on the board

  1. The board must fill vacancies, inclusive of interim vacancies, required by the rules of the regulated entity within a reasonable time from when the vacancy arose. PART 2: GOVERNANCE OF THE OPERATIONS OF THE REGULATED ENTITY Role of the board in setting the regulated entity strategy

  2. The board must be responsible for the determination and approval of the long-term and short-term strategies of the regulated entity and monitor implementation therewith by management or the service provider to whom services have been outsourced, if any.

  3. Before approving the strategy, the board must ensure that the strategy is aligned with the Act and any relevant legislation, the purpose or object of the regulated entity, the value drivers of the regulated entity’s business and the legitimate interests and expectations of the regulated entity’s stakeholders.

  4. The board must identify key performance and risk areas as well as the associated performance and risk indicators and measures, across key functions and areas of the regulated entity. Internal controls

  5. The board must ensure that there are adequate internal controls in place to ensure that all persons and entities with operational and oversight responsibilities act in accordance with the objectives required by the rules of the regulated entity, the Act and any other applicable law.

  6. Internal controls must cover all basic organisational and administrative procedures and, depending upon the scale and complexity of the regulated entity, the internal controls must include performance assessment, compensation mechanisms, information systems and processes, risk and compliance management procedures.

  7. Appropriate policies guiding the governance and operations must be adopted and implemented by the board.

  8. The oversight responsibilities of the board requires that there must be – (a) a regular assessment of the performance of the persons and entities involved in the operations of the regulated entity in terms of service level agreements, mandates, and performance contracts; (b) a regular review of services and fees and all costs associated with the operations of the regulated entity to ensure that they are appropriate; (c) a regular review of the information processes, operational software systems and accounting and financial reporting systems involved in the operation of the regulated entity; (d) the monitoring and resolution of actual, potential or perceived conflict of interest amongst those involved in the operation of the regulated entity; (e) the protection of confidential information of the regulated entity; and (f) regular review of compliance with regulatory and statutory requirements of the regulated entity. Expert advice

  9. Where the board lacks sufficient expertise to make fully informed decisions and to fulfil its responsibilities, it may seek expert advice.

  10. The board must satisfy itself that any expert advice obtained is independently given and where the professional gives expert advice in respect of a service provider, the board must satisfy itself that such advice is not compromised by the relationship of that professional or their firm to that service provider.

  11. The board must assess and satisfy itself that any expert advice received is of quality, it must verify that all its professional staff and external service providers have adequate qualifications and experience, and the board is not obliged to accept the advice but must consider the appropriateness of such advice. Risk management

  12. Subject to the Act – (a) the board may delegate oversight of the regulated entity’s risk management function to an appropriate board committee; and (b) the board must ensure that the frameworks and processes in place to assist in anticipating these risks have the following characteristics: (i) insight - the ability to identify the cause of the risk, where there are multiple causes or root causes that are not immediately obvious; (ii) information - comprehensive information about all aspects of risks and risk sources, especially of financial risks; (iii) incentives - the ability to separate risk origination and risk ownership ensuring proper due diligence and accountability; (iv) instinct - the ability to avoid following the herd when there are systemic and pervasive risks; (v) independence - the ability to view the regulated entity independently from its environment; and (vi) interconnectivity - the ability to identify and understand how risks are related, especially when their relatedness might exacerbate the risk.

  13. The board must have in place a risk management policy which must be reviewed regularly, but at least every three years, and must include – (a) the identification of risks facing the regulated entity; (b) the assessment of the likelihood of each such risk on the regulated entity; (c) the assessment of the impact of each such risk to the regulated entity; (d) the process or controls necessary to reduce the impact of key risks; (e) the monitoring of the risk process or controls to ensure that they are appropriate; and (f) the communication to the stakeholders of the regulated entity’s risk management policy, including the identification of the key risks and the processes or controls in place to prevent, eliminate or manage them.

  14. The board must ensure that the regulated entity considers and implements appropriate risk responses.

  15. The regulated entity must identify and consider different ways that it can respond to the risks identified during the risk assessment process and these responses must be noted in a risk register.

  16. The regulated entity must be able to demonstrate that the risk management process provides for the identification and exploitation of opportunities to improve its performance.

  17. The risks to be identified must not be limited to those which have a financial consequence, but must include risks which relate to the governance of the regulated entity, and which may jeopardise the governance structure.

  18. The regulated entity is not expected to micro-manage the functions delegated to service providers, but those functions must, when delegated, contain sufficient detail to ensure that the service provider understands what is expected by the board and provide for reasonable right of recourse if there is any breach of the delegated functions by the service provider.

  19. The board must receive assurance regarding the effectiveness of the risk management process for outsourced or delegated functions.

  20. The board must ensure that there are processes in place enabling complete, timely, relevant, accurate and accessible risk disclosure to relevant stakeholders. Regulated entity expenses

  21. The board must perform regular review of services, against set performance standards, fees and all costs associated with the operation of the regulated entity to ensure that they are appropriate.

  22. The board must ensure that the costs and expenses of the regulated entity are managed efficiently. PART 3: MANAGEMENT OF STAKEHOLDER RELATIONSHIPS Regulated entity information and access to regulated entity information

  23. Subject to the Act, the board must ensure that – (a) directors have unrestricted access to all relevant information relating to the regulated entity to enable them to make informed decisions; (b) all regulated entity information is confidential and must not be released to any person unless such person has a lawful right thereto, and where this information is held by a service provider, the service provider will preserve its confidentiality and return the information to the regulated entity when the relationship with the service provider is terminated; (c) the board is the ultimate custodian of the corporate reputation and stakeholder relationships and the board must take account of and respond to the legitimate interests and expectations of stakeholders in its decision-making; (d) stakeholder interests and expectations, even if not considered warranted or legitimate, must be dealt with and not ignored; and (e) communication with relevant stakeholders, must be responded to promptly by or on behalf of the board and with thoroughness.

Information technology governance 54. The regulated entity must understand the strategic importance of information technology and manage the associated risks, benefits and constraints and the responsibility for the information technology function must be assumed by the board. 55. Information technology must be aligned with the performance and sustainability objectives of the regulated entity. 56. The board must ensure that information and information technology assets are managed effectively. 57. Where the administrative function of information technology is outsourced to a service provider, the board must obtain the necessary assurances and satisfy itself that the information technology risks are managed effectively by the service provider in accordance with best practice principles of information technology governance and risk management. 58. The risk or audit function must consider information technology risk as a crucial element of the effective oversight of the risk management of the regulated entity. 59. In understanding and measuring information technology risks, the risk or audit function must understand the regulated entity’s overall exposure to information technology risk from a strategic and business perspective, including the areas of the business that are most dependent on information technology for effective and continual operation. Reporting 60. Reporting channels between all the persons and entities involved in the governance of the regulated entity must be established to ensure the effective and timely transmission of relevant and accurate information. Disclosure 61. The board must disclose relevant information to relevant persons, notably employees, clients, supervisory authorities and auditors, in a clear, accurate and timely manner. Non-compliance 62. NAMFISA may take appropriate enforcement action in terms of Part 6 of Chapter 10 of the Act for non-compliance with this Standard.