The Superintendent for Supervision of Institutional Investors of the Brazilian Securities and Exchange Commission ("SIN/CVM" and "CVM", respectively) released on February 23, 2021, CVM/SIN Circular Letter No. 02/2021 ("Letter"), which establishes guidelines on the minimum elements of the compliance activities and the Compliance Report provided for in articles 19–22 of CVM Instruction No. 558 of March 26, 2015, as amended. The amendments intend to improve the rules of conduct and internal controls of securities portfolio administrators, including by a mandatory designation of an officer responsible for the supervision of the enforcement of these internal rules and procedures ("Compliance Officer").
According to the Letter, a plan must be developed to ensure efficient verification, follow-up, and testing of the internal controls of each institution. The Letter suggests that the planning consider (i) the nature and complexity of the portfolio administrator's operations, the segment in which it operates and the strategies and fund types used in the management activity, with a special emphasis on segments that recently began operation; (ii) the profile and risk "appetite" of the institution and of its employees, directors and managers, as defined by the institution's senior management; and (iii) the company’s degree of maturity in the various issues faced by internal controls, especially regarding the experiences and findings of previous years.
The Letter also establishes that the report prepared by the compliance area must contain, at minimum, considerations about the compliance of the institution with the regulatory rules in effect regarding the activities of asset management, fiduciary management, risk management, suitability, and distribution of shares, depending on the category of registration that the portfolio administrator holds at CVM (such as Asset Manager, Fiduciary Manager, or Full Manager).
To prepare the Compliance Report, the Compliance Officer must establish a continuous work routine that defines the guidelines for the document and the tests to be applied (including sample testing) considering the size and activity performed by the company. In the analysis of the company and the draft of the report, several instruments can be used, for example: (i) periodic internal reports from the management and risk areas; (ii) the adoption of checklists of periodic obligations; (iii) direct tracking of operations and reports from other areas of the company; and (iv) other instruments or methods, as long as they are susceptible of verification.
The Compliance Report must include: (i) the conclusions of the inspections that were carried out; (ii) the recommendations regarding any weaknesses identified, with the provision for remediation schedules, when applicable; and (iii) a statement from the director responsible for the management of securities portfolios or, when applicable, by the director responsible for risk management regarding the weaknesses found in previous risk assessments, along with the measures planned to address them and the specific schedule for addressing them or the measures already effectively taken for remediation.
Below we list some of the areas that should be covered by the compliance area of a securities portfolio administrator when preparing the Compliance Report. CVM has suggested that these points should also be covered in Compliance Report for 2020, which should be filed by April 2021:
1) Verification of the requirements for excellent reputation of the company's directors and controlling shareholders;
2) Verification of any adjustments made to the company’s policies and documents originating from: (i) regulatory changes; (ii) regulatory requirements; (iii) consequences of internal changes, of management decisions, or from notes received in the scope of due diligence processes;
3) Analysis of potential violations to the company’s Code of Ethics and other internal policies by its administrators, employees and collaborators. In case there was a violation, the analysis should include a report that presents what was done to address the issue , especially in case of more serious professional deviations. If such deviations resulted in sanctions and/or financial, business or image consequences for the company and the person involved, the report should highlight the measures that were taken to prevent recurrence;
4) Evidence that the training program for managers, employees and collaborators previously established has been duly conducted and completed;
5) Evidence that the policies to prevent possible conflicts of interest have been effectively complied with;
6) Evidence that there are effective controls to protect confidential information, as well as that the company's security systems are periodically tested;
7) Evidence that the risk management policy (market, credit, liquidity, counterparty and operational) has been complied with and is aligned with the rules and regulations in effect;
8) Reporting on any deviations and non-conformity situations that occurred in the execution of the managers’ mandates and what measures were adopted to correct them;
9) Evidence that the performance and qualifications of third party service providers was adequate. If applicable, breaches of contracts that presented risks to the company's funds and investors must be noted; and
10) Present statistics about the situations occurred in the year and that involved operational risks, as well as their diagnosis and any improvement measures adopted.
If you are interested in accessing all the requirements established by the Letter, please visit:
http://conteudo.cvm.gov.br/legislacao/oficios-circulares/sin/oc-sin-0221.html (in Portuguese only).