Home › Ongoing Obligations

Ongoing Obligations

License holders are expected to maintain governance effectiveness and control discipline throughout the lifecycle of operations. Ongoing obligations include periodic reporting, material change notifications, AML/CFT monitoring, safeguarding controls (where client assets are held), and technology risk management. Expectations scale with custody exposure, product complexity, and cross-border activity.

Read Detailed Guidance Circulars & Notices Registered Agents

What to maintain

Ongoing compliance is evidence-led. Licensees should maintain a structured compliance library, control logs, and a change register to support supervisory engagement.

Periodic reporting

Cadence aligned to category and risk profile

Material changes

Notify changes to ownership, scope, or controls

AML / CFT

Monitoring, sanctions, reporting, recordkeeping

Tech risk

Security, resilience, change governance

Core obligations (high-level)

These obligations typically apply across categories, with additional requirements where custody exposure or product complexity is high. Licensees should maintain evidence artefacts that demonstrate ongoing control effectiveness, not only written policies.

Governance maintenance

Keep accountability mapping current and maintain evidence of oversight and decision-making discipline.

Key person register and role changes tracked
Conflicts disclosures reviewed and updated
Policies reviewed on scheduled cycles

AML/CFT monitoring

Maintain risk-based monitoring, sanctions screening, reporting discipline, and auditable recordkeeping.

Ongoing monitoring scenario tuning
Sanctions/adverse media escalation logs
SAR/STR governance and retention

Safeguarding discipline

Where client assets are held, maintain segregation, reconciliation, and tested incident readiness.

Reconciliation schedules and exception handling
Key access reviews and privileged access controls
Incident drills and recovery readiness updates

Technology risk

Maintain security monitoring, change governance, vulnerability management, and resilience planning.

Change management logs and approvals
Security testing and remediation tracking
BCP/DR testing evidence

Market conduct

Maintain disclosure discipline, complaint handling, conflicts controls, and communications governance.

Client communications review controls
Complaint handling logs and outcomes
Record retention and audit readiness

Material change notifications

Notify material changes to ownership, scope, custody model, key persons, or control posture.

Ownership/control changes
New products, regions, or client segments
Custody architecture or vendor changes

Periodic reporting (illustrative cadence)

Reporting cadence scales with category and risk profile. The table below provides an illustrative structure for reporting. Where a license category carries custody exposure or significant cross-border flow risk, enhanced reporting and evidence updates may be expected.

Reporting type

Typical coverage

Notes

Quarterly Compliance & risk summary

Key risk indicators, incidents, complaints, policy updates, control testing summary

Include remediation status and major control changes

Quarterly AML/CFT metrics

CDD/EDD volumes, monitoring alerts, sanctions escalations, reporting governance

Attach monitoring coverage updates and tuning notes where applicable

Monthly Custody & safeguarding (if applicable)

Reconciliations, exceptions, key access reviews, incident drill status

Enhanced frequency may apply for high custody exposure

Quarterly Technology risk

Security events, patching metrics, vulnerabilities, change management summaries

Maintain evidence logs for audits and supervisory requests

Annual Governance effectiveness

Board/leadership oversight, control reviews, independent assurance outputs

Include policy review cycle completion and training evidence

Keep a “change register”

A simple change register (ownership changes, scope changes, vendors, custody architecture updates, key person changes) prevents missed notifications and supports clean supervision.

Supervisory engagement readiness

Licensees should be able to respond to information requests with structured evidence. Maintaining an indexed compliance library, control logs, and version-controlled documentation reduces response time and improves clarity during engagement.

What to keep ready

A supervisor-ready library typically includes policies, procedures, logs, and testing artefacts mapped to control owners.

Evidence index (mapped to modules and control owners)
Control logs: monitoring, approvals, and remediation
Incident register and post-incident reviews
Vendor due diligence records and outsourcing governance

On-site / remote reviews

Reviews may examine how controls operate, not only what policies state. Be ready to demonstrate practical workflows.

Walkthrough of onboarding, monitoring, and escalation
Demonstration of access control and key governance (if custody)
Change management approvals and deployment controls
Complaint handling workflow and communications governance

Detailed Guidance Circulars & Notices Application Pathway

Next: guidance library and circulars

Use the guidance library for templates, supervisory notes, and evidence expectations aligned to your category.

Circulars & Notices Guidance Library