Building Trust and Integrity: A snapshot of the MFSA’s Corporate Governance Code

Introduction

Corporate governance is more than just a system of rules; it serves as the cornerstone for organisations to establish trust, accountability, and sustainable value. Governance is characterised as the framework that guides and manages companies, influencing not just the boardroom but also the broader social, legal, and economic dynamics that dictate how businesses function and are held responsible. The significance of effective governance guarantees transparency and efficiency while harmonising corporate interests with those of various stakeholders, such as employees, customers, and the broader community.

At its core, effective corporate governance builds mutual trust and strengthens the financial stability of companies, safeguards investors, and upholds market integrity. On the other hand, failures in governance can result in negative consequences, eroding business confidence and damaging the economy. In response to this need, the Malta Financial Services Authority (“MFSA”, “Authority”) published its Corporate Governance Code in 2022 (“the Code”) which applies to all persons authorised by the MFSA to provide financial services in or from within Malta.

More Insights
pexels-pavel-danilyuk-8112172

Scope and Application

The Code applies to all entities authorised by the MFSA to provide financial services in or from Malta, including entities other than limited liability companies. However, the Code excludes natural persons acting as authorised entities. It adopts a principle-based, proportional approach, ensuring that adherence aligns with the entity’s size, complexity, and business activities. Factors such as the institution’s risk profile, client type, and geographical presence help determine the extent of its application.

The Code organises its principles into four key sections:

  1. The Effective Board – Emphasizing accountability, oversight, and strategic leadership.
  2. Internal Controls – Highlighting risk management, compliance, and operational integrity.
  3. Stakeholder Engagement – Promoting open dialogue with shareholders, employees, and other stakeholders.
  4. Corporate Culture, CSR, and ESG – Encouraging ethical practices and sustainable development.
pexels-pixabay-416320

The Board of Directors

Role and Function

The Board of Directors is the foundation of corporate governance, responsible for ensuring a company’s long-term sustainability. It is accountable for key governance pillars, including:

  • Accountability
  • Oversight
  • Risk management
  • Transparency
  • Legal and regulatory compliance
  • Strategy formulation
  • Policy development

The Board’s role is to lead with integrity and judgment, ensuring alignment between the organisation’s strategy, values, and culture. The Board must maintain high ethical standards and is required to establish its responsibilities and powers in a written document, such as a Board Terms of Reference, and circulate it to all members of the company.

Key responsibilities include:

  • Establishing strategies, risk appetite, and business policies
  • Ensuring necessary material and human resources are available to meet objectives
  • Maintaining an adequate internal control framework to identify and manage risks
  • Supporting innovation and fostering a culture of change to address evolving challenges
  • Striking a balance between enterprise risks and controls
  • Upholding transparent internal and external reporting systems
  • Actively engaging with stakeholders, including employees, suppliers, and customers.

Directors are expected to:

  • Act in the best interest of the entity with diligence, integrity, and accountability
  • Prevent conflicts of interest and ensure ethical conduct
  • Possess a deep understanding of the entity’s business and risks
  • Regularly participate in Board meetings and decision-making processes
  • Develop succession plans for future leadership
  • Ensure financial and regulatory reporting obligations are met

Structure of the Board

The Board of Directors must be structured to effectively fulfil its responsibilities and oversee the entity’s operations while taking into consideration the organisation’s nature, size, and complexity.

The Board’s composition should:

  • Include a mix of Executive and Non-Executive Directors proportional to the entity’s size and complexity.
  • Provide a diversity of knowledge, judgment, and experience suitable to the organisation’s scale and sophistication.
  • Balance expertise and experience to support effective debate and decision-making.
  • Non-Executive Directors contribute objectivity, support, and constructive challenge to management.
  • Independent Directors must remain free from conflicts of interest or relationships that could impair impartial judgment.

Role of the Company Secretary

  • A qualified company secretary must ensure effective communication within the Board and Committees and between Senior Management and Non-Executive Directors.
  • Responsibilities include advising the Board on governance matters and maintaining proper records of proceedings.

Commitees

  • Boards are encouraged to establish Committees for specific duties, with composition and resources aligned to the Board’s structure.
  • Committees should have clear terms of reference and access to timely information to execute their responsibilities effectively.

Appointment and Succession

Authorised Entities must have a formal, rigorous, and transparent process for appointing Directors ensuring that candidates are selected based on merit and objective criteria. Fit and Proper Assessments should be carried out both at the time of appointment and on an ongoing basis to make sure that the Board is made up of people who are qualified for their positions. 

Reappointments should take into account the candidate’s prior performance, and the appointment procedure should be thoroughly recorded. Directors should be well informed on the organisation and its governance structure upon joining the Board, with the help of recurring meetings that cover:

  • Statutory and fiduciary duties
  • The entity’s operations and prospects
  • Skills and competencies of Senior Management
  • The general business environment
  • The Board’s expectations

Fitness and properness of Directors are assessed against the following criteria:

  • Competence
  • Reputation
  • Conflicts of interest and independence of mind
  • Time commitment

Boards are encouraged to establish a Nomination Committee to oversee appointments and succession planning. The Committee should:

  • Propose Board candidates, considering shareholder recommendations.
  • Assess and make recommendations on the Board’s structure, size, composition, and performance.
  • Plan for succession at both the Director and Senior Executive levels.
  • Review the Board’s policies for selecting and appointing Senior Management.

Chairperson and CEO

The roles of the Chairperson of the Board and Chief Executive Officer (CEO) should be clearly defined and separated to ensure a balance of power and effective governance. The Chairperson leads the Board and focuses on its effectiveness, while the CEO is responsible for the entity’s day-to-day management and strategy implementation.

Chairperson's Responsibilities

  • Lead the Board, set its agenda, and facilitate efficient resolution of issues.
  • Ensure the Board operates effectively and receives accurate, timely, and relevant information for sound decision-making.
  • Foster constructive relationships between Executive and Non-Executive Directors and encourage active engagement in discussions.
  • Promote open communication with shareholders and provide equal opportunities for Directors to express their views.
  • Uphold a culture of openness and debate while maintaining objectivity throughout their tenure.
  • The Chairperson should not hold the role of CEO or act as the entity’s Beneficial Owner unless exceptional circumstances arise.
  • In cases where these roles are combined, additional Non-Executive Directors must be appointed to ensure independent judgment and challenge during Board meetings.

CEO's Responsibilities

  • Appointed by the Board, the CEO leads the implementation of the Board’s strategy and oversees operational management.
  • Ensure systems are in place for staff development, training, and compliance with laws and regulations.
  • Monitor morale within the entity and address the recruitment and appointment of Senior Management, coordinating with the Board or Nomination Committee where applicable.
  • The CEO should not serve as Chairperson or take a leading role in compliance management to maintain clear separation of duties.

Remuneration of the Board and Senior Management

Entities must adopt formal, fair, and transparent remuneration policies and processes for the Board and Senior Management. These policies should align with the entity’s business strategy, objectives, and values to ensure long-term success.

Remuneration policies should:

  • Avoid conflicts of interest.
  • Enhance risk management and discourage excessive risk-taking.
  • Be gender neutral.
  • Undergo regular evaluation and review.

The Code recommends establishing a Remuneration Committee with the following responsibilities:

  • Propose the remuneration policy for Directors and Senior Executives to the Board.
  • Recommend individual remuneration for Directors, ensuring alignment with the policy and performance evaluations.
  • Monitor the remuneration structure for Non-Executive Directors.
  • Ensure that performance measures and KPIs include compliance culture and ethical values and impose consequences for failures in these areas.

It is important that no member of the Remuneration Committee is present during discussions about their own remuneration, ensuring impartiality in decision-making.

Internal Controls

The Board must establish robust internal control mechanisms to identify, understand, manage, and disclose risks as necessary, while overseeing all business lines and internal operations. Entities are expected to integrate the principles of the updated Three Lines Model   into their controls, operations, and culture, tailoring it to their specific needs to enhance governance, risk management, and financial crime compliance.

Risk Management

Authorised Entities must establish a comprehensive risk management framework that extends across all business lines and internal functions to ensure awareness and informed decision-making on risk-taking. The framework must identify, understand, manage, and, where appropriate, disclose risks.

The Board holds ultimate responsibility for risk management, including:

  • Establishing the entity’s risk appetite.
  • Monitoring, reviewing, and reporting on risk management and internal control systems.
  • Identifying and addressing existing and emerging risks, including financial crime risks.

The Board should:

  • Regularly assess circumstances that could expose the entity, its Directors, or clients to risk and take appropriate actions.
  • Benchmark the entity’s business risks and performance against industry norms to evaluate its effectiveness.
  • Ensure management monitors performance consistently and provides accurate reports at least quarterly.

Compliance

Entities are required to establish a permanent and independent compliance function which must:

  • Monitor and assess the adequacy and effectiveness of compliance measures and address deficiencies.
  • Develop and implement an annual compliance monitoring plan.
  • Advise and assist the entity and its officials in meeting legal and regulatory obligations.

To ensure the effectiveness of the compliance function, entities must:

  • Provide it with the necessary authority, resources, expertise, and access to relevant information.
  • Appoint a Compliance Officer with sufficient knowledge, skills, and experience, also applicable to the MLRO or financial crime compliance manager, if relevant.
  • Ensure individuals in the compliance function remain independent of the services or activities they monitor.
  • Set remuneration methods for compliance personnel that preserve their objectivity and independence.

Internal Audit

Authorised Entities should establish an internal audit function where appropriate, considering the nature, scale, and complexity of their business. This function must operate independently and objectively, adding value to the entity by enhancing its internal control framework and improving overall operations.

Entities should consider forming an Audit Committee, composed of Non-Executive Directors, responsible for:

  • Overseeing the financial reporting process.
  • Managing relationships with external and internal auditors.
  • Assisting the Board in its oversight of internal governance, internal controls, financial statements, risk management, and the internal audit function.

ICT and Security Risk Management

Authorised Entities should set up a framework for managing ICT and security risks that includes regular risk assessments, audits, and reports.

Internal stakeholders must:

  • Be aware of the risks arising from technological dependencies.
  • Understand their potential impact on the entity’s operations.

Management should recognise the reliance on third-party service providers and include risks from potential technological interruptions in their contingency plans.

When outsourcing, the effectiveness of the risk management framework must be maintained through clearly defined contracts and service level agreements (SLAs). The Board is responsible for monitoring third-party compliance and ensuring adherence to agreed standards. Further detailed guidance is provided through the Guidance on Technology Arrangements, ICT and Security Risk Management and Outsourcing Arrangements issued by the MFSA.

Business Continuity and Disaster Recovery

Authorised Entities must establish and maintain comprehensive contingency plans to ensure business continuity and disaster recovery.

These plans are designed to:

  • Minimise financial losses.
  • Ensure the continuity of critical operations.
  • Mitigate risks to clients, investors, and the entity’s reputation.

Directors have a key responsibility in this process. They should:

  • Understand the essential dependencies required to keep the business operational.
  • Assess how the entity protects itself from potential disruptions.
  • Evaluate the adequacy of response and recovery plans.
  • Ensure sufficient resources are allocated to support these measures effectively.

Stakeholder Engagement

Engagement with Shareholders

The Board should act in the legitimate interests of the entity, fully account to shareholders, and prioritise protecting and enhancing the interests of both current and future shareholders.

General meetings, particularly annual general meetings (AGMs), should serve as the primary platform for shareholder communication.

  • The Board must also comply with legal requirements for convening extraordinary general meetings.
  • Shareholders unable to attend general meetings should have the option to appoint a proxy to vote on their behalf, whether in favour, against, or abstaining from any proposal.

The Board should ensure continuous dialogue with shareholders and treat them fairly and equitably.

  • All holders of each class of capital must be treated equally.
  • Barriers that limit shareholders’ ability to exercise their voting rights must be removed.

Meeting agendas and procedures should be structured to encourage valid discussion and decision-making without frustrating these processes.

Engagement with employees and other stakeholders

The Board should foster active cooperation between the entity and its stakeholders, including suppliers, customers, employees, and public authorities. Effective collaboration with stakeholders, such as business partners, creditors, and local communities, supports sustainable growth.

Entities should hire skilled personnel to fulfil their responsibilities. The Board is responsible for:

  • Participating in the appointment of Senior Management alongside the CEO and establishing a succession plan.
  • Ensuring adequate training for Directors and Senior Management.
  • Aligning policies and practices with the entity’s strategy and values.

Entities should maintain open dialogue with stakeholders and implement systems to:

  • Recruit, retain, and motivate high-quality staff.
  • Provide continuous professional development and relevant training.
  • Monitor management and staff morale.

Employees should have opportunities to express concerns (even anonymously) and participate in decision-making.

The Board must ensure timely and accurate reporting on financial matters, performance, ownership, and governance, following regulatory requirements. Information should be disclosed per applicable standards and frameworks.

Corporate Culture, CSR and ESG

The Board is responsible for fostering a corporate culture that aligns with the entity’s strategy, promoting trust, integrity, ethics, and long-term value. A strong compliance culture should also be cultivated.

Entities should integrate Environmental, Social, and Governance (ESG) and Corporate Social Responsibility (CSR) into their strategies to drive sustainable finance and long-term value creation. ESG principles should be embedded into business models to enhance economic efficiency, sustainable growth, and financial stability.

Sustainable finance directs investments towards environmentally and socially responsible growth, requiring entities to consider sustainability in decision-making and core values.

  • Entities should have an ESG strategy and report on their initiatives.
  • They should act as responsible corporate citizens, working closely with stakeholders.
  • The Board should go beyond legal compliance by investing in human capital, environmental protection, and stakeholder relations.
  • Efforts should focus on sustainability, health and safety, and resource management in production processes.

Entities are encouraged to:

  1. Participate in and contribute to ESG initiatives and events.
  2. Publicly report on ESG commitments and performance.
  3. Communicate their business impact, especially on sustainability.

Entities should assess, manage, and report on environmental risks and opportunities while ensuring transparency in ESG-related risks affecting the financial system. They should offer financial products that genuinely meet sustainability preferences and stay informed on global ESG trends.

Concluding Remarks

The Code provides a comprehensive framework to ensure that entities operating in Malta uphold the highest standards of transparency, accountability, and ethical conduct. By fostering a strong corporate culture, engaging with stakeholders, and integrating ESG and CSR principles, the Code aims to create a sustainable and responsible financial ecosystem.

Effective governance is essential for long-term value creation, balancing the interests of shareholders, employees, customers, and regulatory authorities. Through robust internal controls, risk management, and compliance structures, entities can strengthen investor confidence and enhance financial stability.

Ultimately, the Code serves as a guiding instrument for businesses to navigate regulatory expectations while promoting responsible corporate behaviour. Adhering to these principles will not only ensure compliance but also drive growth, innovation, and resilience in an evolving economic landscape.

pexels-sevenstormphotography-566378
Services
Stephanie Marinova Associate

Key Contact

Stephanie Marinova

Associate

Get in Touch

More about MK Fintech Partners Ltd.

Michael Kyprianou Fintech Partners Ltd. is a Maltese company providing services in the FinTech sector. It comprises a team of dedicated experts who provide services such as Legal Advisory, Crypto Licensing, Token Issuers’ Licensing, Investment Services Licensing, and registrations of activities related to Fintech, Crypto, Blockchain & Data Protection, Investment Funds Services & Banking, Company Incorporations, and M&As.

MK Fintech Partners forms part of the Michael Kyprianou Group, a top tier international legal and advisory firm. It has established an enviable reputation as a broad-based legal practice over the years. Mainly by keeping at heart its principle to always exceed its clients’ expectations. MK has grown to become one of the largest law firms in Cyprus with offices in Nicosia, Limassol and Paphos. The MK Group’s international presence also includes fully-fledged offices in Greece (Athens and Thessaloniki), Malta (Birkirkara), Ukraine (Kiev), the United Arab Emirates (Dubai), United Kingdom (London), Israel (Tel Aviv), and Germany (Frankfurt).

More Services

The content of this article is valid  at the date of its first publication. It intends to provide a general guide to the subject matter and does not constitute legal advice. We recommend that you seek professional advice on a specific matter before acting on any information you read. For further information, contact us at MK Fintech Partners via email at contactmkfintech@kyprianou.com or by telephone +356 9905 6193.

Read more

Share this article:
Facebook
Twitter
WhatsApp
LinkedIn