Proposed financial institutions conduct regime

22 July 2022

The Financial Markets Authority (FMA) is proposing six standard licencing conditions under the new Conduct of Financial Institutions Conduct (CoFI) regime, expected to come into force in early 2025.

Although broadly consistent with existing licences issued by the FMA, there are some differences of which regulated financial institutions will need to be aware. There is also a risk of overlapping and conflicting legislative requirements.

Submissions on the consultation paper are due by 7 September.

Proposed standard conditions

The six standard conditions will apply to registered banks, licensed insurers and licensed non-bank deposit takers with retail customers once the new licenses are granted. If adopted, the standard conditions and their explanatory notes will require the following: 

Ongoing requirements – A financial institution must at all times satisfy the various requirements for licences, such as directors and senior managers meeting fit and proper criteria, under section 396 of the Financial Markets Conduct Act (FMCA). A financial institution must also have arrangements in place to ensure any authorised bodies covered by the licence under section 400 of the FMCA, are appropriately controlled and supervised. So long as these requirements continue to be met, institutions can make changes to their business or the scope of their financial service without breaching this standard condition. However, any changes must align with the fair treatment of consumers and the institution’s fair conduct programme.

Notification of material changes – A financial institution must notify the FMA in writing within 10 working days of implementing any material change to the nature of its service – e.g. an insurer moving its business into run-off. No notice is required if an institution changes its services, products or distribution methods. A material change in the nature of the service may need to be reflected in an updated fair conduct programme, policies and systems.

Regulatory returns – A financial institution must provide the information the FMA needs to monitor the institution’s ongoing capability to effectively perform its service. This will include updated information on the financial institution’s fair conduct programme and the nature, size and complexity of its service. The FMA plans further consultation with industry before publishing the requirements for regulatory returns. This reporting obligation is in addition to those required by section 412 of the FMCA.

Outsourcing – If a financial institution outsources a system or process necessary to the provision of its service, it must be satisfied on an ongoing basis that the provider is capable of performing the service to the standard required to enable it to meet its market services licensee obligations. Arrangements captured by this condition may include outsourcing hosting technology, processing insurance claims, and record keeping. Typical distribution arrangements will be excluded. Due diligence should include review of the outsource provider’s previous experience, public reports, reported complaints and operating jurisdiction.

Business continuity and technology systems – A financial institution must have a business continuity plan that is appropriate for the scale and scope of its service, and is implemented and maintained in a way that supports compliance with the institution’s fair conduct programme, including any outsourcing arrangements. Operational resilience of key systems must be maintained at all times. A financial institution must notify the FMA as soon as possible, and no later than 72 hours, after discovering any event that materially impacts the operational resilience of its critical technology systems.

Record keeping – A financial institution must create in a timely manner, and maintain, adequate records in relation to its service. These include evidence that the fair conduct programme has been implemented, maintained and regularly reviewed, that reasonable steps have been taken to comply with the programme, and any deficiencies identified have been promptly remedied. Records must be readily available to the FMA for inspection within 10 working days and retained by the financial institution for at least seven years.

Our comment

We welcome the FMA’s approach of keeping the licence conditions generally consistent with those applying to other licences, such as the full financial advice provider licence.

There are, however, some differences, key of which are:

  • institutions are required to notify only material changes to the nature of the financial institution service (a narrower requirement)
  • a shorter notice period (72 hours vs 10 working days) for notifying the FMA of events that materially impact operational resilience of critical technology, and
  • the lack of a condition regarding how complaints are handled.

Compatibility with other legislative regimes is important. Banks and non-bank deposit takers will also be subject to the new Deposit Takers Act, and some registered banks are covered by the Reserve Bank’s BS11 Outsourcing Policy.

Aligning these regimes will avoid confusion and improve efficiency.

Reasonably extensive record-keeping will be necessary in order to demonstrate that the fair conduct programme has been implemented, maintained, and regularly reviewed. In particular, clear evidence will be required that any conduct lapses identified have been addressed quickly and not ignored.

It is important to get these systems in place early.

If you want to discuss what these proposals mean for you, or help in preparing a submission, please get in touch.

Quick links to other Brief Counsels relevant to this topic

Big decisions on deposit taker regime

Conduct of Institutions Bill now law

Related insights

See all insights