Policies - Licensee
Reviewed: 09/09/2025 – Rupert Gough
Compliance Assurance
INTRODUCTION
A strong compliance process helps to ensure that we meet not only our regulatory and legal obligations but deliver a good customer experience as well. We do this by ensuring that we have effective policies and procedures in place. Our controls are how we ensure that we are complying with our policies.
Compliance is an outcome of conforming to a rule or standard. The rule may come from a law or regulation, or our internal business rules such as a policy or code of conduct. This means that we need to follow both external rules and internal rules and/or standards.
COMPLIANCE LINKS
Compliance is how our business meets these rules and standards.
Whenever legislation changes, we need to implement a process to meet the new requirements. We need to be sure that we meet all the legal and regulatory requirements for our business. This compliance assurance program sets out how we do this.
PURPOSE
Our business has developed systems and procedures to comply with:
Financial Markets Conduct Act 2013 (the Act);
Financial Markets Conduct Regulations (the Regulations);
Financial Market Authority (FMA) guidance notes and monitoring reports; and
Our internal policies, processes and organisational standards.
This program is to ensure that our business has adequate and effective arrangements to challenge and test:
The design and operation of our processes and controls; and
The adequacy of our compliance activities.
The program provides information on:
Roles and responsibilities for overseeing compliance within our business;
The regulatory obligations to be met by our business;
The procedures in place to comply with our obligations; and
How compliance with these procedures will be monitored.
COMPLIANCE COMMITMENT
Maurice Trapp Group is committed to a strong customer-focused culture which is underpinned by robust and compliant processes. Our staff play an integral role in fulfilling, monitoring and reporting on compliance obligations.
We aim to empower our staff to do the right thing and know how to do it.
Recognising, reporting and remediating breaches is the responsibility of all staff. We have a no blame policy regarding breaches, but not so regarding failure to report or remediate any breaches
COMPLIANCE FRAMEWORK
Our compliance framework is the structured business processes we have implemented to comply with our regulatory obligations and ensure good business practice. It includes the day to day activities to check compliance.
| Elements of our compliance framework |
|---|
| Our Code of Conduct (MTG’s Code of Conduct & Ethics) |
| Identify our key business risks; and identify our regulatory obligations |
| Implement policies, procedures and controls to meet the obligations; and maintain business registers to record key business information |
| Educate and train our staff |
| A compliance calendar to remind us when compliance activities are due |
| A program to validate our compliance framework (our compliance assurance program) |
How we develop our compliance framework:
For each relevant business procedure, we identify the regulatory obligation;
We note the obligations on a register called our compliance obligations register;
We ensure that there is a policy or procedure in place that staff members need to follow to meet the obligation;
We note the controls in place for each obligation and determine the level of risk for the business;
We provide training to staff and contractors on our policies and procedures and explain their regulatory obligations;
We test and monitor that the controls are in place and working as intended; and
We address any control weaknesses and improve as required.
ROLES & RESPONSIBILITIES
All staff in our business are required to comply with the law, the Code of Professional Conduct for Financial Advice Services and our business policies. Some roles have specific responsibilities for checking compliance as follows:
FAP Licensee
The name of the license holders are Maurice Trapp Group, FSP107344 and The Mortgage Lab FSP587228. The FAP Licensee must meet the licensing criteria as well as the standard and specific conditions of the license. An annual regulatory return will be provided to the FMA as required.
Financial Advisers
Financial advisers must provide compliant financial advice as required by the FAP Licensee. Financial advisers must have their client files reviewed on a periodic basis as determined in the annual compliance assurance program.
Business Risk Manager
The name of our Business Risk Manager (BRM) is Rupert Gough. The BRM is responsible for:
Ensuring that our policies, procedures and controls are regularly reviewed and updated.
Keeping track of regulatory changes and making business changes as required.
Providing compliance training to new staff.
Sharing compliance reports and information.
Completing internal compliance testing and monitoring checks.
Filing regulatory reports and returns.
Reviewing any business registers such as complaints, conflicts of interest, breaches etc.
Identifying emerging trends or issues and alerting the business owner.
Business Owner
The responsibility of the business owner is to ensure that Maurice Trapp Group is meeting its regulatory obligations. While certain functions of the FAP Licensee may be outsourced, the responsibility remains with the business owner.
REGULATORY OBLIGATIONS
The first part of our compliance framework is to identify what rules and standards our business needs to meet.
The new financial advice regime sets new requirements. These can be found in:
Financial Services Legislation Amendment Act 2019;
Financial Markets Conduct Act 2013;
Regulations for new disclosure requirements (not yet available); and
The Code of Professional Conduct for Financial Advice Services.
Regulators, law makers and industry bodies publish additional information on the requirements. This material provides valuable information to help us to comply. These may include:
Guidance notes;
Industry reports;
Association training material;
Codes of practice;
Industry best practice; and
Standards.
Business Activities, Products & Services
We list all the key activities for our business. This covers our key operational processes, including how we deal with clients, third parties, vendors and/or suppliers.
We identify the people, systems and processes involved in each business activity. For example, all sales activities involve interactions with clients and are recorded in our client file notes.
Applicable Areas of Law
We also identify other areas of the law that apply to our business. These include:
Advertising and promotion;
Consumer protection;
Employment law;
Fair trading or fair dealing;
Intellectual property;
Privacy and data protection; and
Workplace health and safety.
Keeping Up to Date
We keep up to date and determine the compliance obligations imposed on our business by:
Reading information supplied on government or FMA Websites
Reading brochures and any other handouts available
Consulting with a compliance advisor, accountant or our lawyer
Going directly to the primary sources of law (legislation and regulations)
Subscribing to a third-party information service
OBLIGATIONS REGISTER
We create a register of the regulatory rules. This our ’Obligations Register‘.
The Obligations Register records all of our business compliance obligations. The register includes the relevant rules, tasks or actions we need to take. The Obligations Register is set out in text form for easy analysis.
Reviewing our Business Processes & Controls
Throughout the year we test and monitor our business processes and controls that are required by law and those material to our business, to ensure that they are working and are effective. Where possible, testing is done independently of those involved in the day-to-day process and oversight.
Key controls are those that are effective in reducing a high-risk issue. Key/critical controls are the ones that are checked and/or reported against most often.
The object of a control is to modify the risk in some way, i.e. to reduce the likelihood and/or impact of the risk.
Control Effectiveness
Best practice is for controls to be tested at least annually to ensure that they are working, appropriate and relevant. Depending on the nature and importance of the control, some controls will be assessed more frequently.
| Control Effectiveness Checklist | |
|---|---|
| Control exists and is documented |
It won’t work if it doesn’t exist. If we can prove the control happened, it’s generally considered more effective than a control with no evidence of having occurred. |
| Control is well designed |
The strength of control should be assessed/reviewed. The timing of the control should closely relate to the activity. What is the cost-benefit of running the control? |
| Control is operating as intended | Can we evidence that the control is in place and is working properly? |
| Control has not failed |
Have there been any risk events during the last 1–2 years? How many? Why didn’t the controls work? |
| Control has been independently reviewed |
The control should be reviewed by someone who didn’t design it and doesn’t use it regularly. Independent review provides better insights about the effectiveness of the control. |
For each control identified/in place, our Internal Compliance Person uses a control testing template to assess effectiveness of the control. Our template is provided in Appendix 3.
Testing will Consider
The nature of the control and how often it is performed;
The size and content of the sample will be relevant to the process;
The risk rating of the process – higher risk processes will be subject to more frequent control testing;
Dependency on other controls; and
Exceptions in the control effectiveness, and how they have been reported and investigated.
Control Methodology
A combination of the following methods may be used to help evaluate control effectiveness and design:
| Control methodology | |
|---|---|
| Subject Matter Expert |
It won’t work if it doesn’t exist. If we can prove the control happened, it’s generally considered more effective than a control with no evidence of having occurred. |
| Risk indicators |
The strength of control should be assessed/reviewed. The timing of the control should closely relate to the activity. What is the cost-benefit of running the control? |
| Independence |
Outcomes of independent compliance reviews and/or testing provide good evidence of effectiveness of controls. The person conducting the test will not have been involved in designing or implementing the control. |
| Sample testing | A selection of a representative sample of controls. For example, we might test 10% of the new clients onboarded over a 12-month period. |
Control Effectiveness Scale
Once tested, the design and effectiveness of a control can rated as follows:
| Rating | Effectiveness |
|---|---|
| 4 |
Very good The control is always reliable, efficient and easy to audit. The control is operating effectively and will mitigate or detect risk in most circumstances. |
| 3 |
Good The control is mostly reliable and effective and can be audited. While the control mitigates most aspects of the risk, it could be strengthened. |
| 2 |
Adequate The control is usually reliable but not always effective. It may be difficult to audit. |
| 1 |
Poor or Ineffective The control is unreliable, ad hoc or poorly documented and does not leave an audit trail. The control may be poorly designed. The control does not provide enough protection and may not control the risk. |
Our Compliance Calendar
We need to complete some of our obligations within a certain timeframe. For example, once a year we pay our membership fee to belong a disputes resolution scheme.
A compliance calendar is a simple way to record when these actions are due and remind us to check that they have been done. By setting up a compliance calendar we:
Know our compliance obligations due each month;
Schedule time to complete checks; and
Confirm the actions that have been completed.
Our Compliance Calendar is here.
Some tasks need to be completed frequently e.g., monthly. These are noted in the ‘reoccurring’ section. Other tasks may only be required occasionally and are noted in the ‘ad-hoc‘ section.
Compliance Assurance Program
The Compliance Assurance Programme (CAP) is the in-depth process we implement to challenge and test our compliance. The focus is on whether our compliance framework has been designed properly and is operating effectively.
The testing and design of the tests are done by a person independent of the people involved in the day-to-day processes and/or oversight.
The CAP is approved every year by the business owner. It aims to provide assurance on whether the business is meeting its regulatory obligations and where processes and controls require strengthening.
To achieve our approach to compliance assurance is to focus on:
The types and levels of risk in our business;
Testing and monitoring the design and effectives off our systems and processes; and
How involved our business owner is in overseeing business functions
Reporting
The results of our compliance testing will be reported to the business owner and the SMT to evidence how we know that we comply.
Governance
INTRODUCTION
The board has responsibility for the affairs and activities of the company, which in practice is achieved through delegation to the Managing Director together with the Senior Leadership Team (SLT), and others, who are charged with the day-to day leadership and management of the business. The Managing Director is the principal representative of the company to our stakeholders
POLICY STATEMENT
We will meet all our license obligations and ensure good conduct is achieved by all directors, employees, contractors and financial advisers
The board has appointed a Senior Leadership Team (SLT). The objective of the SLT is to assist the board to monitor the adequacy and effectiveness of MTG’s policies, procedures and controls in fulfilling its obligations under the Financial Markets Conducts Act (FMCA) and in the performance of its obligations as a Financial Advice Provider (FAP) Licensee.
The responsibilities of the SLT are as follows:
Overseeing the design, implementation and operation of MTG’s risk management framework (including key controls) to ensure that it continues to operate effectively within the risk appetite set by the board
Monitoring, and reporting to the Board on, new and emerging sources of risk and the controls and mitigation measures put in place to deal with those risks
Reviewing the effectiveness of the Compliance Management Framework for identifying, monitoring and managing compliance with relevant obligations
Review the compliance processes that are in place to anticipate and effectively manage the impact of regulatory change on MTG’s operations
Guiding management to establish and maintain a sound risk culture, and reporting to the Board on risk culture-related matters that affect MTG’s ability to operate consistently within its risk appetite, including any desirable changes to the risk culture
Liaise with and engage external auditors and risk & compliance suppliers
Ensure recommendations highlighted in internal compliance reports are actioned by management and advisers
Monitor internal controls instituted
Supervise special investigations when requested by the board
Any other duties and responsibilities which have been assigned to it from time to time by the board.
KEY PROCESSES
MTG addresses key compliance issues at bi-monthly SLT meetings. The MD is responsible for drawing to the boards immediate attention any material matter that relates to the financial condition of the company, any material breakdown in internal controls, and any material event of fraud or malpractice.
After each meeting the MD will report the SLT’s recommendations and findings to the board. The minutes of all SMT meetings shall be circulated to members of the board and to such other persons as the board directs.
The MD will present an annual report to the board summarizing the SMT’s activities during the year and any related significant results and findings.
CONTROLS
SMT
How implemented: Bi-Monthly Meetings
Responsibility & Frequency: Head of A&S – Bi-Monthly
REFERENCE
FMA – Standard Licensing conditions – Ongoing requirements
You must at all times continue to satisfy the requirements set out in section 396, and if applicable, section 400, of the FMC Act. Sections 396 and 400 of the FMC Act specify the requirements in respect of which the FMA must be satisfied in order to grant a licence, or authorise an entity as an authorised body. For example, the FMA must be satisfied that:
any prescribed criteria are met
your directors and senior managers are fit and proper persons
you are capable of effectively performing the service
there is no reason to believe you are likely to contravene your obligations
you are registered on the Financial Service Providers
Risk Management Policy
INTRODUCTION
Everyone in the business is responsible for identifying and managing risk. Poor risk management invariably increases costs and time spent on non-productive activities. Effective management of risk is essential for MTG to achieve its goals and objectives.
POLICY STATEMENT
We are committed to proactively and consistently managing risk in order to:
Enhance and protect company value by delivering on our commitments,
Allow the business to pursue opportunities in an informed way and align with our risk appetite,
Ensure a safe and secure environment for MTG staff, partners, and
Avoid negative publicity and reputational
KEY CONCEPTS
Risk is anything that can impact on our ability to achieve company goals and objectives and is therefore interconnected with our business plan and strategy. Risk is assessed in terms of a combination of the impact and likelihood of an event occurring and can be categorised according to the areas it could potentially impact.
These are:
commercial/financial sustainability;
performance of core services;
stakeholder confidence/reputation;
preparedness to manage and respond to a crisis;
people safety and resource availability; and
regulatory/contractual.
Risk appetite describes MTG’s tolerable levels of risk. It draws together risk metrics and risk management, so they can be translated into everyday business decisions, reporting and discussions. Risk appetite is set by the Board and reviewed annually.
Risk management is the process through which risk is managed and includes risk identification and reporting through to risk mitigation and allocating risk ownership.
As a business we need to be committed to ensuring rigorous risk management processes are in place.
To implement risk management effectively, it must be integrated into the business operations, projects, and decision-making processes. It is part of the business mindset and integral to the way we do things.
If we do not manage our risk effectively, this may result in
loss of revenue or increased costs (including from investigations, litigation, penalties, or damages)
negative publicity
reputational damage
the potential loss of clients
injury to MTG people and partners
RISK MANAGEMENT
The objective of our risk management framework is to ensure we operate within our agreed risk tolerance and risk limits. We do this by the:
effective and efficient continuity of operations;
safeguarding of our assets;
preservation and enhancement of our reputation;
reliability of internal and external reporting;
compliance with applicable laws and regulations
Creating and maintaining a culture consistent with our risk tolerance is an important element of operational risk management, as are our selection and recruitment processes.
ROLES AND RESPONSIBILITIES
The roles and responsibilities in relation to this policy are as follows:
Directors
The Company directors are:
Maurice Trapp
Brent Wright
Rupert Gough
The directors are required to:
Set the risk appetite for the business
Monitor and review the activities and reporting of the SMT
Senior Leadership Team
The SLT is required to
Promote a culture of proactively managing risks, aligned with this policy and the business’
Review the key business risks regularly and review the risk
Proactively mitigate key business
Review controls and their effectiveness in mitigating the
All Staff
Appropriately identify and manage the risks in their area of work.
Support Functions
The SLT will provide the framework to enable the identification of compliance obligations and the compliance controls embedded in the business that ensure our obligations are met. Wherever possible the risk and compliance frameworks will be aligned.
Independent assurance providers, including business assurance, external audit and regulators undertake periodic reviews to assess:
the effectiveness of internal processes and controls for managing risk; and
the effectiveness of relevant aspects of MTG risk management implementation as
KEY PROCESSES
We identify and define the key risks that our business could be exposed
Each key risk is recorded in the Risk
Risks are rated according how likely they are to occur and the impact if they did occur to provide a risk
We ensure that sufficient controls are in place to manage the
Controls are the specific activities undertaken to reduce the exposure to risk. The controls are reviewed and tested on a regular frequency. The frequency depends on the risk rating and the importance of the control.
MTG: Risk Rating Matrix
Appropriately identify and manage the risks in their area of work.
| Impact Risk Criteria | Insignificant | Minor | Moderate | Major | Severe |
|---|---|---|---|---|---|
| People (Health & Safety + other) |
Injuries or ailments not requiring medical treatment. Poor working environment. |
Minor injury or First Aid treatment case. Increasing and long-term absenteeism. High attrition rate. |
Serious injury causing hospitalisation or multiple medical treatments. Human error and skills shortage. Visa-dependent staff. |
Life-threatening injury or multiple serious injuries causing hospitalisation. Loss of key staff. |
Death or multiple life-threatening injuries. Significant loss of key staff. |
| Financial | 1% of budget or <$X more competition. |
1% of budget or <$X. Increased interest rates. Increasing competition. Reducing demand or service quality. |
>5% of budget or <$X. Cash-flow imbalance. Increasing claims. |
>10% of budget or $X. Online security breach or fraud. |
>25% of budget or >X. Significant fraud or breach. |
| Legal and Regulatory Risks | Minor breach of policy. | Multiple breaches. | Major breach or breaches. | Regulator enquiry or warning. | Regulator action or significant fine. |
| Operational Risks | Human error, low-impact mistakes. |
Cost/unavailability of resources. Operational errors requiring management intervention. |
Mis-selling, multiple errors or losses. | Theft, fraud, frequent errors or losses. | Significant error or loss which may result in business closure. |
| Technology Risk | Downtime due to IT interruption. | Third-party risk: IT software and/or hardware failures. | IT disruption. Systems failure. | Outdated technology. System outage. | Unauthorised access. Significant or prolonged outage. |
| Reputational | Negative client feedback. | Increase in complaints. | Coverage in local media & increased escalation. | Coverage in national media, loss of new/existing business. | Adverse national media coverage, regulator commentary. |
| Likelihood \ Impact | Insignificant | Minor | Moderate | Major | Severe |
|---|---|---|---|---|---|
| Almost Certain | Medium | High | High | Extreme | Extreme |
| Likely | Medium | Medium | High | High | Extreme |
| Possible | Low | Medium | Medium | High | Extreme |
| Unlikely | Low | Medium | Medium | High | High |
| Rare | Low | Low | Medium | Medium | High |
| Likelihood | Historical |
|---|---|
| Almost Certain | Is expected to occur in most circumstances |
| Likely | Will probably occur |
| Possible | Might occur at some time in the future |
| Unlikely | Could occur but doubtful |
| Rare | May occur but only in exceptional circumstances |
CONTROLS
Risk Register
How implemented: Risk Register is checked and updated prior to SMT meetings so that status is reported and assessed
Responsibility & Frequency: Business Risk Manager – Bi-Monthly
REFERENCE
FMA
Licensing requirements
FMCA 2013
431H: Liability for duties
Companies Act 1993
Section 131 – 138 sets out the Directors Duties.
Financial Management Policy
INTRODUCTION
Having sound financial management practices in our business will assist us to demonstrate how we meet our financial obligations. This helps to ensure that we have adequate financial resources for our business and to ensure that our finances are managed in a responsible way.
POLICY STATEMENT
We have a duty of care to comply with our Licensing conditions and the Companies Act 1993 in relation to the financial viability of our business
We ensure that we retain sufficient funds in our accounts to pay our debts as they are due and makes allowance for the unexpected such as, Insurance excess, claw backs etc.
We make allowances for ACC, Tax and GST and other known expenses.
We regularly monitor our financial resources and have 6x board meetings per annum to discuss budgets, cash flow and the Profit and Loss statement.
KEY PROCESSES
We ensure we have a good accounting software package (Xero) that can provide us enough reporting to show us how we are tracking financially
We assess the risk of our financial resources not being adequate to run our business, or a serious financial problem occurring; and take steps to prevent this risk occurring.
We put aside a portion of our income into a separate account to cover taxes, levies, potential commission reversals (clawbacks), and other periodic expenses.
We set a budget annually and review on a quarterly basis with our board
We set an annual cash flow forecast and compare how we are tracking against the cash flow every month to make sure that we remain on track.
We are aware that we must notify the FMA if a material change of circumstances
Expenditure levels and by whom are recorded in our delegations register
Financial updates are loaded daily to our Cube – Power BI financial reporting system, in order to give us real time financial information across the nationwide business.
CONTROLS
Reconciliation
How implemented: Bank Statements are reconciled monthly.
Responsibility & Frequency: CIFO – monthly
External accountant
How implemented: Financial accounts reviewed by external accountant
Responsibility & Frequency: CIFO – annually
Budget, Profit and Loss and Cash flows
How implemented: The budget, Profit and loss and Cash flows reviewed to track actual against forecast
Responsibility & Frequency: CIFO – monthly
Delegations Register
Spending levels set for staff
Responsibility & Frequency: CIFO
REFERENCE
FMA
Licensing requirements
Companies Act 1993
Part 8, 135 – Reckless trading
Part 1, 4 – Meaning of Solvency test
Material Issues & Breaches
INTRODUCTION
A material issue or breach typically refers to a significant violation or non-compliance with regulatory requirements, financial laws, or industry standards. The term “material” indicates that the issue or breach is substantial enough to have a significant impact on the affected parties, whether they are investors, market participants, or the overall integrity of the financial system.
Material issues or breaches may include, but are not limited to:
Non-compliance with regulatory requirements: Violations of laws and regulations governing financial markets, securities, or financial services.
Misleading or false information: Providing inaccurate or deceptive information in financial disclosures, reports, or other communications.
Market manipulation: Actions intended to artificially inflate or deflate the price of securities, commodities, or financial instruments.
Insider trading: Illegally trading securities based on non-public, material information.
Failure to disclose material information: Failing to disclose information that could significantly impact investment decisions or market conditions.
Risk management failures: Inadequate risk controls, leading to excessive exposure or losses.
Notification of material changes is a standard condition of our Full FAP Licence and applies where we materially change the nature of our financial advice service or manner in which we provide our financial advice service. The purpose of this standard condition is to ensure that the FMA are informed of any material changes that we make to our business, whether or not they may have an adverse effect on our ability to provide our financial advice service and whether or not they may relate to the requirements for issue of a licence being satisfied.
A Breach – It is possible that from time to time we may not be compliant with our obligations and be in breach. A material event is one where the confidentiality, integrity or availability of information and/or technology systems has been compromised.
We are required to identify when a breach occurs and put in place remedial action to rectify the breach. We record any breaches in our ‘Material Issues and Breaches Register’. Recording breaches, helps identify where things go wrong in our business and look for any emerging trends or systemic issues. It also helps make sure that our processes are fit for purpose, compliant and working correctly.
| Standard conditions for full FAP licence | Code of Professional Conduct for Financial Advice Services (Code Standard) | FMC Act |
|---|---|---|
| Standard condition 5 requires FAPs to have and maintain a business continuity plan that, among other things, includes procedures for responding to, and recovering from, events that impact on cybersecurity and continuity. FAPs must ensure information security of technology systems which, if disrupted, would materially affect the continued provision of your financial advice service, is maintained. FAPs are required to notify the FMA within 10 working days of discovering any event that materially impacts the information security of these critical technology systems. Under Standard condition 6, FAPs also need to ensure that policies, processes, systems, and controls are up to date and that they reflect any changes you may make to your business or service arrangements. | Code Standard 5 requires FAPs to ensure that client information is protected against loss and unauthorised access, use, modification, or disclosure. This includes maintaining physical and electronic security measures so that only authorised personnel of the FAP have access to client information. | The FMC Act imposes duties on persons who give regulated financial advice and on FAPs and interposed persons that engage them. These include the duty to comply with the standard conditions of the FAP licence and the Code Standards. FAPs are also required to exercise the care, diligence, and skill that a prudent person engaged in the occupation of giving regulated financial advice would exercise in the same circumstances. |
Reporting Requirements – General Reporting Conditions
MTG must, as soon as practicable, send details of the matter to the FMA:
When there is a change in the status of the FAP
Insolvency or bankruptcy
When there is any relevant proceeding or action (criminal) against –
The licensee, director or senior manager of the licensee
An authorised body or key personnel of the authorised body
When there are changes to the structure –
Changes to key personnel, director or senior manager – whether ceasing or starting
Name of legal structure changes
When a major business transaction takes place
Takeover, merger or acquisition
Reporting requirements – FMCA
MTG must, as soon as practicable, send details of the matter to the FMA:
has contravened, may have contravened, or is likely to contravene a market services licensee obligation in a material respect
a material change of circumstances has occurred, may have occurred, or is likely to occur in relation to the licence
information provided under section 395 (application for licence) or 404 (application for a verification) is false or misleading in a material particular
POLICY STATEMENT
If we have a material change or material breach within our business, we report these to FMA as soon as we become aware of them or within the required timeframe. The reporting timeframe is ten working days.
A material event is one where the confidentiality, integrity or availability of information and/or technology systems has been compromised. We do not need to notify the FMA of minor events, such as receiving a ‘phishing’ email.
KEY PROCESSES
When an potential material issue or breach occurs within our business we record the issue in our Material Issue and Breaches register and determine a suitable remedial pathway forward.
Our BCP sets out MTG’s ‘Incident Response Plan’ that describes the course of action MTG will take to navigate the cyber incident
Where a possible material breach has occurred the business owner will notify the Managing Director who will make the final call as to whether the breach is in fact material.
If material, we then report the issue as soon as practical to the FMA or within 10 working days of becoming aware of the issue.
Staff and Adviser Training
In order to cultivate a culture of awareness of and commitment to cyber resilience within MTG we provide training support to staff so they are aware of their responsibilities.
We provide training on cyber risks that exist, and on how to respond to and report them.
Other Notification Requirements
We have other notification requirements mandated by legislation that may be triggered by a cyber incident. For example, under the Privacy Act 2020, if we have a privacy breach that either has caused or is likely to cause anyone serious harm, we will need to notify the Privacy Commissioner and any affected people as soon as practicable (see Privacy Policy)
KEY CONTROLS
Staff & Adviser Training
How implemented: LMS Training Module – Identification and response/reporting
Responsibility & Frequency: L&D Co-Ordinator – Annual
Staff & Adviser Training
How implemented: Regular Cyber Security Comms & Reminders
Responsibility & Frequency: MTG Newsletter
Material Issues and Breaches Register
How implemented: Identify when a breach/material issue occurs. Record any issues in Material Issues & Breaches Register
Responsibility & Frequency: Rupert G – Ongoing
REFERENCE
FMA
Licensing requirement – Standard condition notification of material changes
Companies Act 1993
431S – Protection of individual who reports breach
Related Policies
Privacy Policy
IT Systems & Security
BCP
Advertising & Fair Dealing Policy
🛑 CPD Point Available For This Section 🛑
OVERVIEW
Our marketing and advertising will accurately portray who we are and what we do. All marketing and advertising collateral will comply with legislation, regulation, and code, and will meet our good conduct obligations.
Documents and communication must be clear, concise, and effective.
This policy applies to all directors, employees, contractors, and financial advisers that are engaged by MTG/Mortgage Lab
INTRODUCTION
Advertising and marketing materials include any publicly available information that could influence a client in their decision-making process regarding a product or service.
Examples include brochures, newspaper/magazine/online ads, our website, social media platforms, business cards, flyers, and radio messages.
Given our diverse client base, clear communication is essential to avoid confusion or misrepresentation. Misleading or deceptive behaviour may breach both regulatory obligations and our internal standards.
PURPOSE
This policy ensures that:
All advertising and marketing by MTG is compliant.
No materials or activities mislead, confuse, or deceive clients.
REGULATORY OBLIGATIONS
Under Part 2 of the Financial Markets Conduct Act 2013 (FMC Act), the principles of fair dealing prohibit:
Misleading or deceptive conduct
False or misleading representations
Unsubstantiated representations
Unsolicited offers of financial products
The FMC Act provisions align with those in the Fair Trading Act 1986.
POLICY STATEMENT
All advertising and advertising materials created by MTG/Mortgage Lab must follow internal checks and the sign-off process.
This policy applies to all representations regarding the advice, promotion, and sale of products and services, including print, broadcast, digital, verbal, and promotional activities.
Mass Email Communications
Mass emails are defined as any email sent to more than 2% of the MTG client base.
No mass email (e.g. newsletters, promotional campaigns) may be distributed without prior approval.
Staff must prepare the wording for the intended mass email and submit it to management for review and sign-off.
Once approved, design and formatting will be completed by the MTG marketing team.
KEY PROCESSES
All advertising and promotional activities must:
Avoid misleading or deceptive content.
Contain no false or misleading claims.
Respect the trust and experience level of clients.
All staff with sales and advice responsibilities must:
Be trained on this policy at induction and through regular updates.
Be informed of all current advertising and promotions related to products/services they provide.
Immediately report any suspected breaches to a Senior MTG Manager.
Errors in published materials must be corrected promptly and communicated to affected clients. Outdated advertising must not be used.
WHEN TO SEEK APPROVAL
1. General Well-Wishing Messages: No approval required (e.g. holiday greetings).
2. Product-Specific Content: Compliance sign-off required.
3. Educational Content: May not require sign-off, unless content could be perceived as advice.
4. Market Opinions/Advice: Always requires compliance sign-off.
5. Risk Disclosures: Always requires compliance review.
SOCIAL MEDIA GUIDANCE
Posts referencing clients, products, services, staff, or processes must:
Be archived for at least seven years.
Avoid financial product opinions, recommendations, or guarantees.
Exclude any defamatory, harassing, or private client content.
Avoid negative references to competitors or internal staff.
Not disclose MTG proprietary or confidential business information.
CONTROLS
1. Training
Via CPD module on intranet
Responsibility: Head of Insurance & KiwiSaver / Head of Mortgages
Timing: Induction & Annual
2. Advertising Sign-Off
Notification sent to: Marketing VA (Anne), Rupert G, and Sian J
Annual audit: Rupert G (Compliance Assurance Programme)
3. Breach Reporting
Must be reported to Rupert G
Logged in Material Issues & Breaches Register and/or Complaints Register
Reviewed: Bi-Monthly SMT
See related policies
Complaints Policy
REFERENCE
Financial Markets Conduct Act 2013
Part 2, Fair Dealing sets out the obligations for misleading or deceptive conduct generally in relation to financial products and services. Click here for source;
A person must not, in trade, engage in conduct that is misleading or deceptive or likely to mislead or deceive in relation to any dealing in financial products; or the supply or possible supply of a financial service or the promotion by any means of the supply or use of financial services.
A person must not engage in conduct that is misleading or deceptive or likely to mislead or deceive in relation to any dealing in quoted financial products.
FMCA 2013
431P – False or misleading statements and omissions
Fair Trading Act 1986
The Fair-Trading Act 1986 protects clients against being misled or treated unfairly by traders or shops. The Act prohibits misleading and deceptive conduct, unsubstantiated claims, false representations and certain unfair practices. It also sets out when information about certain products must be disclosed to Clients and helps ensure products are safe. www.Client.org.nz/articles/fair-trading-act
Professional Indemnity Insurance Policy
INTRODUCTION
Professional Indemnity Insurance is a requirement for any adviser or business that is paid to provide professional advice or service. We have a duty of care to our clients, and therefore need to ensure we are adequately protected. PII covers legal costs and expenses incurred in any defence, as well as any costs that may be awarded. We ensure that we have an appropriate level of cover for the business.
The risk of a claim being made against us isn’t always determined by our skill or level of professionalism. There is always the risk of an unhappy client making a claim against us.
A Professional Indemnity claim could arise
Failing to provide promised services
Being negligent in rendering professional services
Providing substandard, incomplete, or incorrect work
Making mistakes or oversights
Any omissions in the provisions of your service
POLICY STATEMENT
MTG has taken the appropriate level of professional indemnity cover for legal and defence costs, as well as compensation payable to the party making the claim, up to stated policy limits. We use an external specialist provider for our PI cover.
KEY PROCESSES
We maintain an appropriate level of professional indemnity insurance to cover risks related to our business;
Our level of PI insurance cover is adequate and appropriate for the nature, scale and complexity of our business relating to our FAP licence;
We review our PI insurance annually to ensure we are adequately covered; and
We make sure we have enough resources to meet policy excess in the event of a claim
CONTROLS
Annual Policy Renewal
How implemented: Policy renewal is received, level of cover is checked against business requirements to see if still adequate or needs adjusting
Responsibility & Frequency: Head of Compliance – Annually
New Advisers Added/Leavers Removed
How implemented: When an adviser is added or removed to our FAP on the FSPR, they are automatically added to our Professional Indemnity Cover.
Responsibility & Frequency: Head of Channel - Automatic
Outsourcing Policy
INTRODUCTION
As a small business, we need to outsource some functions to third parties. It’s important that we protect our reputation and your clients by conducting robust background checks, putting contractual agreements in place, and performing regular reviews to ensure suppliers of key functions are up to the task and can meet our expectations and Financial Advice Provider (FAP) obligations.
As a FAP, we are responsible for any functions that we outsource key FAP functions that might be outsourced
Oversight and compliance functions Record keeping and IT services (eg digital CRM)
Training services
Advice services (including digital advice)
The purpose of this policy is to set out the processes to follow if a key function is outsourced. While MTG can outsource a function we remain responsible for ensuring the service complies.
POLICY STATEMENT
When we outsource certain functions of our licence, we are aware that the provider is performing some of the licenced functions of our business. It is important then that we ensure that they will meet certain standards so that we meet with our regulatory obligations.
We complete due diligence on the business we are considering using by completing an outsource checklist and if we continue and use the services, we complete an outsource agreement outlining our expectations.
We must have contractual arrangements in place with each provider which enable us to monitor their performance and allow us to act if they do not perform. Records held by the provider must be readily available to us.
KEY PROCESSES
We will complete due diligence with the use of our outsource checklist to see if the business has the competence, knowledge, and skill to provide a compliant and reliable service on our
We will complete an outsourcing agreement with the provider that outlines the expected standards of performance and will also include a termination clause for non-performance or non-compliance.
We ensure that all information and records that the outsource provider holds will be available for inspection by the FMA on request.
We will complete a regular review to ensure that each provider is, and remains, capable of performing the service to the standard requirements to meet our licence obligations.
The frequency of the review will take a risk based approach.
CONTROLS
Outsource agreement and checklist
How implemented: Outsource agreement (Risk) and checklist to be completed and held on file
Responsibility & Frequency: Head of Compliance – Annually
REFERENCE
FMA
Licensing requirement – standard condition for Outsourcing
FMC Act 2013 (FSLAA)
431Q – Persons engaging others to give advice must ensure compliance with duties
Outsourcing Due Diligence & Approval Form
Fit & Proper Policy & Declaration
Fit & Proper and Capability Policy for Directors and Senior Managers
Purpose: The purpose of this policy is to establish clear guidelines and expectations regarding the fit & proper and capability requirements for individuals serving as directors and senior managers of MTG and Mortgage Lab
Scope: This policy applies to all individuals holding the positions of director and senior manager within MTG and Mortgage Lab.
Fit and Proper Standards: All directors and senior managers must meet fit and proper standards. These standards include:
Competence and Capability: Directors and senior managers are expected to have the necessary skills, knowledge, and experience to fulfil their roles effectively. This may involve having relevant qualifications, industry experience, and require ongoing professional development.
Integrity and Character: Individuals in these positions are expected to demonstrate high standards of integrity and ethical behaviour. Any history of dishonesty, fraud, or other unethical conduct will be considered when assessing fitness and propriety.
Regulatory Compliance: Individuals should have a good understanding of the relevant laws and regulations governing the financial services industry in New Zealand. Compliance with regulatory requirements is crucial for maintaining fit and proper status.
Reputation: The reputation of directors and senior managers will be a factor in determining fitness and propriety. Any past actions that could impact the reputation of MTG and Mortgage Lab, or the industry will be considered.
Conflict of Interest: Individuals in these roles should be able to identify and manage potential conflicts of interest appropriately.
Capability Requirements: Directors and senior managers are expected to possess the necessary skills, knowledge, and experience to effectively perform their roles. This includes:
Ongoing professional development to stay abreast of industry changes.
Compliance with educational and training requirements. For those in advice roles, completion of the NZCFS Level 5 and ongoing CPD is mandatory. For Directors and Senior Managers in non-advice roles then education and training as suitable to your role is required.
All directors and senior managers are required to annually complete MTG’s prescribed training modules accessed via our in house LMS (Refer T&D Policy).
Annual assessment via attestation of individual and collective capabilities to ensure alignment with the business strategy and regulatory requirements.
Appointment Process: The appointment of directors and senior managers will be conducted in accordance with the following process:
Nomination and vetting process to assess fit and proper criteria including completion of MTG/Mortgage Labs fit & proper attestation.
Evaluation of qualifications, experience, and competence relevant to the position
Approval by the Board and submission/approval from the FMA as required.
Ongoing Monitoring: Continuous monitoring of the fit and proper status and capability of directors and senior managers will be conducted through:
Annual reviews of qualifications, experience, and competence including internal and external CPD undertaken.
Monitoring of any conflicts of interest.
Reporting Requirements: Directors and senior managers are required to promptly report any changes in their fit and proper status or capabilities to the Board as required.
Consequences of Non-Compliance: Non-compliance with fit and proper standards and capability requirements may result in disciplinary action, including but not limited to removal from the position or other actions deemed appropriate by the Board and in accordance with regulatory guidelines.
Review and Revision: This policy will be reviewed annually to ensure its ongoing relevance and compliance with regulatory requirements. Any necessary revisions will be made promptly, and the updated policy will be communicated to relevant stakeholders.
CONTROLS
LMS
How Implemented: Prescribed training modules completed
Responsibility/Frequency: Compliance Manager – Ongoing
Attestation
How Implemented: All Directors & SLT members required to complete attestation
Responsibility/Frequency: Compliance Manager – Annually
See related policies
Training & Development Policy
REFERENCES
FMC Act
Licensing requirement – directors and senior managers are fair and proper persons to hold their respective positions
IT Systems and Security Policy
INTRODUCTION
As a business we are required under New Zealand law to make sure that we protect the privacy and information we hold on our clients and staff.
The loss of information could severely impact the way we operate and lead to reputational and financial damage.
The objectives of this IT security policy are the preservation of confidentiality, integrity, and availability of systems.
POLICY STATEMENT
We have established our IT security policy to ensure that all staff are aware of the computer security policies for maintaining a secure operating environment.
The policy also defines acceptable and unacceptable use and staff’s responsibilities for maintaining security when using and accessing our information systems.
There are three main objectives for IT security:
Confidentiality – protecting access to sensitive data from those who don’t have a legitimate need to use it
Integrity – ensuring that information is accurate and reliable and cannot be modified in unexpected ways
Availability – ensuring that data is readily available to those who need to use it
ACCEPTABLE USE
The types of activities that staff/contract advisers are encouraged to participate in and those considered acceptable practice when using systems include:
Research on the Internet related to developing professional skills related to one’s position
Acquiring or sharing information necessary or related to the performance of an individual’s assigned responsibilities
Reasonable use of computing facilities for personal correspondence (e.g. sending personal emails, using Internet websites) so long as it does not interfere with productivity or consume sustained high-volume traffic
UNACCEPTABLE USE
The types of activities that are considered unacceptable practice include:
Use of company digital technology and Internet services for illegal or unlawful purposes. This includes but is not limited to intentional copyright infringements, software license infringements, obscenity, fraud, defamation, plagiarism, harassment, intimidation, forgery, impersonation and computer tampering (e.g. spreading computer viruses or destruction of data owned by others)
Intentionally using company digital technology and Internet services to visit Internet sites or receive information that contains obscene, pornographic, hateful or other objectionable material
Attempting to gain access to any computer system, information, or resources without the authorisation of the relevant owner
Knowingly or recklessly transmitting or distributing any information or material which contains a virus, worm, Trojan Horse, or any other harmful component
Posting, publishing, transmitting, or distributing any unsolicited advertising through mass electronic mail or other direct transmission
Using digital technology and Internet services to reveal or publicise restricted or proprietary information, including but not limited to: financial data, intellectual property, strategy documents, staff details, client databases, or access credentials
Using company digital technology or equipment to conduct personal business unrelated to Maurice Trapp Group and its subsidiaries
Excessive consumption of bandwidth for non-work-related purposes, including illegal downloading, streaming, or online gaming without a clear business or educational purpose
All use must comply with all applicable laws. Breach of this policy may be deemed a breach of contract and appropriate action will be taken.
USE OF AI SYSTEMS
The use of artificial intelligence (AI) systems is restricted to approved channels in order to protect client privacy and company data.
The use of AI systems is prohibited for all client-related activities, except in the following specific cases:
Meetings: AI features may be used in Zoom, Microsoft Teams, or Google Meet — but only if the meeting is held using a Maurice Trapp Group-funded account or its subsidiaries’ accounts.
Content Generation (e.g. emails, newsletters, blog posts): ChatGPT may be used for content creation but must be a paid account, not the free version
Other situations where formal approval has been given by Maurice Trapp Group or it’s subsidiaries (for example, if Trail CRM integrates AI).
All other use of AI tools or platforms for work-related activities — including client correspondence, document preparation, or data entry — is strictly prohibited. This includes free, personal, or unapproved AI tools.
Note that the use of AI such as Siri or Alexa for non-client functions falls outside of this policy.
This policy is in place because use of unapproved AI platforms may expose private client data to training datasets, which puts personal and sensitive information at risk.
KEY PROCESSES
The security practices that control access to information and computer systems.
The following apply:
Only MTG staff and authorised visitors are allowed to access the company’s systems.
User accounts are to be created and managed by MTG, this includes:
The creation and deletion of all user accounts.
Periodic auditing of accounts to verify account status.
All user accounts are required to change passwords at least once every 6 months
Password should be strong and unique with a combination of upper- and lower-case characters and symbols.
Never disclosed to another user or staff member.
SECURITY
Computers are to be locked when users are away from their desk.
We regularly back the IT systems up and securely stores the backup information. Mortgage Lab emails, calendar and Google Drive documents are backed up daily by a third party called afi.ai.
Only reviewed and approved software is to be installed on company devices.
IT security software checked and updated including anti-virus software.
Training is provided to help advisers and staff identify phishing threats.
Network security is regularly checked by our IT outsource provider
Business Continuity Plan (BCP)
We regularly review our Business Continuity Plan (BCP) to make sure there would be minimal impact on the business and clients in the event of a natural disaster or any other interruption to our day-to-day business. The BCP includes contact details for staff and suppliers.
All staff are trained in this policy.
CONTROLS
Training register
How implemented: Training in the IT security policy and training register updated
Responsibility & Frequency: L&D Co-Ordinator
BCP
How implemented: BCP to be reviewed to ensure that it is up to date with latest IT details
Responsibility & Frequency: Head of Finance & IT
Material event
How implemented: Triggers a reporting obligation to the FMA
Responsibility & Frequency: Head of Finance & IT
Cyber Protection
How implemented: 2FA for Mortgage Lab emails and TrailCRM
Responsibility & Frequency: Head of Mortgages
REFERENCES
Privacy Act
The Privacy Act 2020 deals with the collection, storage and use of personal information about identifiable individuals and therefore principally affects Client marketing. Everyone in the organisation who handles personal information should have an understanding of the Information Privacy Principles and the objectives
Code of Professional Conduct for Financial Advice Services
Code Standard 5. PROTECT CLIENT INFORMATION
A person who gives financial advice must take reasonable steps to protect client information against loss and unauthorised access, use, modification, or disclosure.
FMA
Licensing requirement – condition re business continuity and technology systems.
See related policies
Privacy Policy
Material Issues and Breaches Policy