Risk Management Agreement Policy
Risk Management Policy
Compliance Policy Document
Company | Cubo Markets Ltd. (registration no. 2026-00241) |
Document | Risk Management Policy |
Reference | CM-RSK-001 |
Version | 1.0 |
Effective date | 01 June 2026 |
Jurisdiction | Saint Lucia |
Classification | Internal — Compliance |
Owner | Money Laundering Reporting Officer / Compliance Function |
Table of Contents
This Risk Management Policy (the “Policy”) establishes the framework through which Cubo Markets Ltd. (“the Company”) identifies, assesses, monitors, controls and reports the risks arising from its activities as a provider of online trading services. Effective risk management protects the Company, its clients and its counterparties, and supports the sound and prudent conduct of the business.
The Policy is approved by senior management and is reviewed on a regular basis to ensure it remains appropriate to the nature, scale and complexity of the Company’s operations.
1. Purpose and Objectives
The purpose of this Policy is to embed a consistent, structured and proportionate approach to risk management across the Company. Its objectives are to ensure that material risks are identified and understood, that risks are kept within the Company’s stated risk appetite, that controls are effective and tested, and that risk information flows clearly to those responsible for decision-making.
2. Scope
This Policy applies to all business activities, functions and personnel of the Company. It addresses the principal categories of risk to which the Company is exposed and sets out the governance arrangements, responsibilities and processes for managing them.
3. Definitions
Risk means the effect of uncertainty on the Company’s objectives, including the possibility of financial loss, regulatory breach, operational disruption or reputational harm.
Risk Appetite means the amount and type of risk the Company is willing to accept in pursuit of its objectives.
Inherent Risk means the level of risk before the application of controls; Residual Risk means the level of risk remaining after controls have been applied.
Risk Register means the central record in which the Company documents identified risks, their assessment, the controls in place and the actions required.
4. Risk Governance Framework
The Company operates a risk governance framework based on clear allocation of responsibility and on the principle of independent challenge.
4.1 Board and Senior Management
Senior management owns the risk management framework, approves the Company’s risk appetite, ensures that adequate resources are devoted to risk management and compliance, and receives regular reporting on the Company’s risk profile. Senior management sets the tone from the top and is accountable for the overall effectiveness of the framework.
4.2 Three Lines of Defence
- First line: business and operational functions that own and manage risk in the course of their activities and operate day-to-day controls.
- Second line: the risk and compliance functions, which set policy, provide oversight and challenge, and monitor the risk profile independently of the first line.
- Third line: independent assurance (internal or external review) that evaluates the design and effectiveness of the framework and reports findings to senior management.
5. Risk Appetite
The Company defines its risk appetite as the level and types of risk it is prepared to accept to achieve its objectives. The Company maintains a low appetite for risks relating to regulatory non-compliance, financial crime and client harm, and manages market, credit, liquidity and operational risks within defined limits and tolerances. Risk appetite is approved by senior management and is translated into specific limits, thresholds and key risk indicators.
6. Principal Risk Categories
6.1 Market and Dealing Risk
Market risk arises from movements in the prices of the instruments the Company offers and from the Company’s exposure to client positions. The Company manages this exposure through position and exposure limits, monitoring of net open exposure, the use of hedging and risk-transfer arrangements where appropriate, and the application of an execution and dealing model designed to keep exposure within approved tolerances.
6.2 Credit and Counterparty Risk
Credit and counterparty risk arises from the potential failure of clients, liquidity providers, payment partners or banking counterparties to meet their obligations. The Company manages this risk through counterparty selection and review, diversification where practicable, monitoring of exposures, and appropriate margin and negative-balance-protection arrangements with clients.
6.3 Liquidity Risk
Liquidity risk is the risk that the Company is unable to meet its financial obligations as they fall due. The Company monitors its liquidity position, maintains adequate liquid resources relative to its obligations, and plans for stressed conditions.
6.4 Operational Risk
Operational risk arises from inadequate or failed internal processes, people and systems, or from external events. The Company manages operational risk through documented procedures, segregation of duties, access controls, change management, supplier oversight, and the recording and analysis of incidents and near-misses.
6.5 Technology and Cybersecurity Risk
The Company depends on technology platforms for trading, payments and client servicing. It manages technology and cybersecurity risk through access management, encryption, monitoring, vulnerability and patch management, backups, and incident-response procedures designed to protect the confidentiality, integrity and availability of systems and data.
6.6 Compliance and Regulatory Risk
Compliance risk is the risk of legal or regulatory sanction, financial loss or reputational damage arising from a failure to comply with applicable laws, regulations and standards. The Company manages this risk through its compliance framework, monitoring of regulatory developments, and the maintenance of policies including its AML/CTF and Customer Due Diligence policies.
6.7 Financial Crime Risk
Financial crime risk, including money laundering, terrorist financing, fraud and sanctions breaches, is managed through the controls set out in the Company’s Anti-Money Laundering and Counter-Terrorist Financing Policy and Customer Due Diligence (KYC) Policy, which form an integral part of this risk framework.
6.8 Reputational Risk
Reputational risk may arise from any of the above categories as well as from conduct, communications and client outcomes. The Company seeks to manage reputational risk by acting with integrity, treating clients fairly, and addressing complaints and incidents promptly.
7. Client Risk Categorisation
In line with its AML/CTF and Customer Due Diligence policies, the Company categorises clients by risk level. Risk categorisation informs the intensity of due diligence and monitoring applied to each relationship and is reviewed on a periodic and trigger basis.
8. Risk Identification and Assessment
The Company identifies risks through its business-wide risk assessment, incident analysis, monitoring activity and input from across the business. Each identified risk is assessed for likelihood and impact to determine its inherent and residual rating. Risks are recorded in the Risk Register together with the controls in place and any required mitigating actions.
9. Risk Controls and Mitigation
For each material risk, the Company implements proportionate controls designed to reduce the likelihood or impact of the risk to within appetite. Where residual risk exceeds appetite, additional controls or mitigating actions are defined, assigned to an owner, and tracked to completion. Controls are reviewed for continued effectiveness.
10. Business Continuity and Disaster Recovery
The Company maintains business continuity and disaster recovery arrangements designed to maintain or restore critical services in the event of disruption. These arrangements address data backup and recovery, alternative processing capability, and communication with clients and stakeholders, and are tested periodically.
11. Risk Monitoring and Reporting
The Company monitors its risk profile on an ongoing basis using key risk indicators, limit monitoring and incident reporting. The risk and compliance functions report periodically to senior management on the Company’s risk profile, material incidents, control effectiveness and the status of remedial actions. Material risk events are escalated promptly.
12. Risk Register
The Company maintains a Risk Register as the central record of identified risks. For each risk, the Register records a description, the risk category and owner, the inherent and residual assessment, the controls in place, and any mitigating actions with target dates. The Risk Register is reviewed and updated on a regular basis.
13. Roles and Responsibilities
- Senior management: approves the framework and risk appetite and oversees the risk profile.
- Risk and compliance functions: maintain the framework, provide independent oversight and challenge, and report to senior management.
- Business and operational functions: own and manage risk in their areas and operate day-to-day controls.
- All staff: comply with this Policy and report risks, incidents and control weaknesses through the appropriate channels.
14. Review of this Policy
This Policy is reviewed at least annually, and additionally following any material change in the Company’s business, risk profile or regulatory environment, or following a significant risk event. Senior management approves material changes, and the date and substance of each review are recorded.
15. Governing Law
This Policy forms part of the Company’s internal control framework and is governed by, and shall be construed in accordance with, the laws of Saint Lucia. It is to be read together with the Company’s Anti-Money Laundering and Counter-Terrorist Financing Policy and Customer Due Diligence (KYC) Policy.