Executive Summary: La The General Rule No. 507 by the CMF takes a decisive step in risk management for General Fund Administrators (AGFs), shifting responsibilities from general management and compliance units to a newly established risk unit (as the second line of defense), while maintaining the audit unit as the third line of defense. It also details the functions of the board and the content of policies, procedures, and the risk matrix.
On May 8 of this year, the CMF published NCG 507
which, as of February 1, 2025, will replace Circular 1,869, which has governed the third-party fund management industry in terms of risk management since 2008.
NCG 507 was issued simultaneously with NCGs 508, 509, and 510, all of which aim to provide a harmonized approach to risk management for the actors in the securities market.
With respect to AGFs, NCG 507 deepens the understanding of the role of the board of directors of AGFs in accordance with Article 20 of Law No. 20.712, and introduces a substantial modification to the corporate governance of risk management. It assigns the board a detailed catalog of responsibilities, including, among others:
(i). Approve the risk appetite levels.
(ii). Establish a new, mandatory Risk Management Committee, without prejudice to the formation of other committees such as audit, liquidity, and anti-money laundering, all of which—if established—must include at least one director from the AGF.
(iii). Establish a new Risk Management Unit responsible for identifying, measuring, monitoring, and managing the AGF's key risks, such as financial, operational, and compliance risks.
(iv). Establish an Internal Audit Unit responsible for verifying the proper functioning of the internal control and risk management systems.
(v). Approve the annual activity plans for both the Risk Management Unit and the Internal Audit Unit.
Both the Risk Management Unit and the Audit Unit report directly to the board of directors and must remain independent from the risk-generating units as well as from each other.
Under the new NCG 507
the CMF allows that if the AGF is part of a corporate group, the risk management and internal audit activities may be carried out by a corporate unit. Additionally, under certain circumstances, these functions can be delegated to a compliance officer or other units within the organization (instead of a dedicated risk unit); however, it is important to note that these units cannot be risk-generating entities.
Under the current organizational structure of Circular 1,869
the risk management functions, which fall under the responsibility of the general manager, are distinguished from the control functions, which are assigned to the "Compliance and Internal Control Officer," a role of significant importance under this regulation. The policies and procedures for risk management and internal control must be included in a Risk Management and Internal Control Manual, which must be approved annually by the board of directors. The board has the following responsibilities: (i) approval of risk management and internal control policies and procedures, at least annually; (ii) approval of contingency plans, at least semi-annually; (iii) review of a quarterly report on non-compliance prepared by the Compliance Officer; (iv) review of a semi-annual report detailing the functioning of the control system over the past six months; and (v) approval of the Risk Management and Internal Control Manual, at least annually.
Under the new organizational structure of NCG 507 the risk management and internal control functions, both assigned to the Risk Management Unit, are distinguished from the audit function, which is handled by the Audit Unit. The audit unit's objective is to verify the proper functioning of the internal control and risk management system. This represents a shift in responsibilities from the General Manager and the Compliance Officer to the new Risk Management Unit, which reports directly to the Board of Directors.
NCG 507 establishes the requirement to implement a risk matrix that considers the various operational cycles (investment, contributions and redemptions, and accounting and treasury) and their associated risks. This matrix must identify, among other factors, the responsible parties, inherent risks, importance levels, and residual risks. While the CMF had previously mandated this requirement, NCG 507 provides more detailed specifications regarding its content, offering a clearer framework for the industry to follow.
Under NCG 507, in addition to ensuring the aforementioned functions, the board of directors must: (i) approve the risk management and internal control policies and the annual activity plan at least once a year; (ii) approve the risk management plan at least semi-annually, which must include risk mitigation strategies and contingency planning for key risks; and (iii) review the internal audit unit's report on a semi-annual basis.
In our next regulatory update, we will provide an in-depth review of CMF's NCG 510 on operational risk, which, as a preview, focuses on information security and cybersecurity, business continuity, and the outsourcing of services.
NCG N°507: https://www.cmfchile.cl/normativa/ncg_507_2024.pdf
We hope you find this note of interest. If you need more information, please don't hesitate to contact us.