Current through Register Vol. 51, No. 25, December 13, 2024
Section 09.03.14.08 - Corporate GovernanceA. A licensee shall establish, document, and maintain sufficient corporate governance, as follows: (1) Each element of a licensee's corporate governance shall be commensurate with the size, operational complexity, and overall risk profile of the licensee.(2) For purposes of this regulation, the operational complexity and risk profile of a licensee shall, in part, be defined by the results of regulatory examinations, any external audits, and internal audits.(3) A licensee bears the burden of demonstrating to the Commissioner that its corporate governance is sufficient and commensurate with its size, operational complexity, and overall risk profile.(4) A licensee's corporate governance shall, at a minimum, include:(a) Clearly defined responsibilities and accountability;(b) Internal controls, policies, processes, and practices for monitoring, testing, and ensuring compliance with the corporate governance framework;(c) Internal controls, policies, processes, and practices for training of employees on corporate governance requirements; and(d) Internal controls, policies, processes, and practices addressing internal audits, external audits, and risk management as set forth in §§B-D of this regulation.(5) Each licensee shall, not less than annually, conduct a review of its corporate governance to determine its overall effectiveness, address emerging risks and otherwise assure that the corporate governance remains commensurate with the size, operational complexity, and overall risk profile of the licensee.(6) Any documentation, controls, policies, procedures, requirements, audits, reports, or other materials included in this regulation shall be made available to the Commissioner upon the Commissioner's request.B. Internal Audit.(1) A licensee shall establish internal audit requirements that are appropriate for the size, complexity, and risk profile of the licensee.(2) Unless impracticable given the size of the licensee, internal audit functions shall be performed by employees of the licensee who report to the licensee's owners or board of directors and who are not otherwise supervised by the persons who directly manage the activities being reviewed.(3) Employees performing internal audit functions shall have sufficient knowledge, training, and resources to provide a reliable evaluation of the licensee's operations, risk management, internal controls, and governance processes.C. External Audit. (1) If the Commissioner determines, based on the size, operational complexity, and overall risk profile of the licensee, that an external audit is appropriate, the Commissioner may direct a licensee to receive an external audit.(2) If the Commissioner directs a licensee to receive an external audit, that external audit shall include: (a) Annual financial statements including a balance sheet, statement of operations (income statement), and cash flows, including notes and supplemental schedules prepared in accordance with generally accepted accounting principles;(b) Assessment of the internal control structure;(c) Computation of tangible net worth;(d) Validation of permissible investments;(e) Verification of adequate fidelity and errors and omissions (E&O) insurance;(f) Testing of controls related to risk management activities, including compliance and stress testing, if applicable; and(g) Any other element the Commissioner considers appropriate.(3) Nothing in this regulation is intended to abrogate a requirement of a licensee to receive an external audit under any other law, rule, regulation, or by-law, policy, or procedure of the licensee.D. Risk Management. (1) A licensee shall at all times maintain a risk management program that identifies, measures, monitors, and controls risk sufficient for the size, operational complexity, and overall risk profile of the licensee.(2) The risk management program shall have appropriate processes and models in place to measure, monitor, and mitigate financial risks and changes to the risk profile of the licensee.(3) Evidence of risk management activities throughout the year shall be maintained, including findings of issues and the response to address those findings.E. Authority to Address Risk as Necessary. If risk is determined by a formal review of a licensee to be extremely high, the Commissioner may order or direct the licensee to satisfy additional conditions necessary to ensure that the licensee will continue to operate in a safe and sound manner and be able to continue to engage in the business of money transmission in compliance with state and federal law and regulation.Md. Code Regs. 09.03.14.08
Regulation .08 adopted effective 50:24 Md. R. 1041, eff. 12/11/2023