Content Options

View Options

Status: You are viewing the version of the handbook as on 2009-03-31.

CRED 4.3 Systems and Controls

General

CRED 4.3.1G

SYSC 3.1.1 R requires that every firm, including a credit union, takes reasonable care to establish and maintain such systems and controls as are appropriate to its business.

CRED 4.3.2G

SYSC 3.1.1 R is a high level rule which allows firms to put in place the systems and controls that are appropriate and effective for their particular circumstances. What is appropriate for a particular credit union will depend upon such matters as the nature, scale, and complexity of its business, the volume and size of its transactions, and the level of risk associated with its operations.

CRED 4.3.3G

A small version 1 credit union will not be expected to have the same systems and controls as a large version 2 credit union.

CRED 4.3.4G

SYSC 3.2 deals with the areas to be covered by systems and controls. Guidance on how this applies to credit unions is provided below.

Rules and evidential provisions

CRED 4.3.5R

A credit union must establish, maintain and implement an up-to-date business plan approved by the committee of management and supply a copy on request to the FSA.

CRED 4.3.6G

Guidance on business planning is given in CRED 4.3.61 G - CRED 4.3.68 G.

CRED 4.3.7R

A credit union must establish, maintain, and implement an up to date and fully documented policies and procedures manual, and supply a copy on request to the FSA.

CRED 4.3.8G

Guidance on documentation of policies and procedures is given in CRED 4.3.69 G - CRED 4.3.71 G.

CRED 4.3.9R

A credit union must establish, maintain and implement a fully documented system of control.

CRED 4.3.10G

Guidance on the documentation of systems of control is given in CRED 4.3.28 G - CRED 4.3.31 G.

CRED 4.3.11E
  1. (1)

    A credit union should have an internal audit function4 (this may be either in house or outsourced to a third party).

    4
  2. (2)

    Contravention of CRED 4.3.11 E (1)) may be relied on as tending to establish contravention of SYSC 3.1.1 R (see CRED 4.3.1 G).

CRED 4.3.12G

The term 'internal audit function' in CRED 4.3.11 E refers to the generally understood concept of internal audit within a firm, that is, the function of assessing adherence to and the effectiveness of internal systems and controls, procedures and policies. The internal audit function is not a controlled function itself, but is part of the systems and controls function (CF28). 4Guidance on internal audit is given in CRED 4.3.50 G.-.CRED 4.3.60 G.

CRED 4.3.13E
  1. (1)

    A credit union should ensure appropriate segregation of duties in order to minimise the risk of financial crime or contravention of requirements and standards under the regulatory system.

  2. (2)

    Contravention of CRED 4.3.13 E (1) may be relied on as tending to establish contravention of SYSC 3.1.3 G.

CRED 4.3.14G

Guidance on segregation of duties is given in CRED 4.3.26 G - CRED 4.3.27 G.

Committee of management

CRED 4.3.15G

Under Schedule 1 to the Credit Unions Act 1979, a credit union is required to have a committee of management. The committee of management should be competent to control the affairs of a credit union, and have an appropriate range of skills and experience having regard to the activities carried on by the credit union.

CRED 4.3.16G

CRED 6.2 provides additional guidance for credit unions on the Statements of Principle for Approved Persons (see alsoAPER 2.1.2 P). In accordance with Statement of Principle 7, it is the responsibility of each individual member of the committee of management to understand, and ensure that the credit union complies with, the requirements of all the relevant Acts, secondary legislation, and rules.

CRED 4.3.17G

As the credit union's governing body, the committee of management has responsibility for ensuring that the credit union complies with the requirements of SYSC 3.1.1 R (see CRED 4.3.1 GCRED 4.3.2 G). Accordingly, the committee of management has overall responsibility for the following matters:

  1. (1)

    to establish objectives and formulate a business plan;

  2. (2)

    to monitor the financial position of the credit union;

  3. (3)

    to determine and document policies and procedures;

  4. (4)

    to direct and coordinate the work of all employees and volunteers, and ensure that they are capable and properly trained;

  5. (5)

    to maintain adequate reserves;

  6. (6)

    to make provision for bad and doubtful debts;

  7. (7)

    to recommend a dividend on shares to members subject to the credit union's financial position;

  8. (8)

    to ensure that the credit union complies with all statutory and regulatory requirements;

  9. (9)

    to ensure that the credit union complies with the requirements of its registered rules.

Where a committee of management has responsibility for these matters on a day to day basis (that is, they are not delegated to a chief executive or manager) it seems highly likely that each member of the committee would be performing the apportionment and oversight function, and would therefore require individual approval.

CRED 4.3.18G

The committee of management should meet at least monthly.

Organisation

CRED 4.3.19G

Guidance on organisational arrangements is located in SYSC 3.2.2 G - SYSC 3.2.5 G.

CRED 4.3.20G

A credit union should have clearly defined organisational arrangements and procedures. These arrangements and procedures should be properly documented.

CRED 4.3.21G

Those credit unions that do not have a permanent place of business or permanent full-time staff should take particular care to ensure that their organisational arrangements are robust and clear.

CRED 4.3.22G

The delegation of functions and tasks should take place within an appropriate framework. This should distinguish between those decisions reserved for the committee of management and those delegated to sub-committees, volunteers or employees.

CRED 4.3.23G

There should be arrangements to supervise delegation. This should include establishing appropriate reporting mechanisms and procedures for monitoring.

CRED 4.3.24G

Reporting lines should be clear and appropriate having regard to the nature, scale, and complexity of the credit union and its business.

CRED 4.3.25G

SYSC 3.2.4 G specifically covers the issue of outsourcing. Guidance relevant to delegation within a credit union is also relevant to external delegation ("outsourcing"). A credit union cannot contract out its regulatory obligations, and remains ultimately responsible for any activities or functions that are outsourced. A credit union should therefore take reasonable care to supervise any outsourced activities, and obtain sufficient information to be able to assess the impact of outsourcing on its systems and controls.

CRED 4.3.26G

CRED 4.3.13 E states that all credit unions should ensure appropriate segregation of duties. Duties should be segregated to prevent one individual from initiating, controlling, and processing a transaction (for example, approval and payment of an invoice).

CRED 4.3.27G

Responsibilities of connected persons (for example, relatives and other close relationships) should be kept entirely separate. Such persons should not hold key posts at the same time. Where this is unavoidable, a credit union should have a written policy for ensuring complete segregation of duties and responsibilities.

Documentation of systems of control

CRED 4.3.28G

CRED 4.3.9 R requires a credit union's system of control to be fully documented. The documentation helps the committee of management to assess if systems are maintained and controls are operating effectively. It also helps those reviewing the systems to ensure that the controls are those that have been authorised, and that they are adequate for their purpose.

CRED 4.3.29G

The committee of management should determine the form of documentation to be adopted. Considerations should include the following:

  1. (1)

    It should be comprehensive. It should cover all material aspects of the operations of the credit union.

  2. (2)

    It should be integrated. Separate elements of the system should be cross referred so that the system can be viewed as a whole.

  3. (3)

    It should identify risks, and the controls established to manage those risks. The controls should be identified and their purpose defined so that their effectiveness can be evaluated.

  4. (4)

    There should be named persons or posts for each control function, and alternatives in case of absence.

  5. (5)

    It should state how the operation of the control is evidenced. Evidence might include signatures, records and registers, retention of control documents.

  6. (6)

    It should be unambiguous. Instructions should be clear and precise, avoiding expressions such as "normally" and "if possible".

  7. (7)

    It should be practical. The separate elements should have a practical role in the review and improvement of systems.

  8. (8)

    It should be up to date. There should be an accurate description of the function that the control is to address. When changes are made to the function, the appropriate systems of control need to be updated and documented at the same time.

  9. (9)

    The committee of management should, from time to time, seek confirmation that the systems of control are being complied with.

CRED 4.3.30G

Documentation should not be restricted to "lower level" controls applied in processing transactions, but should also cover "high level" controls including:

  1. (1)

    powers to be exercised only by the committee of management, and powers delegated to others;

  2. (2)

    the purpose, composition and reporting lines of sub-committees, and senior managers to whom responsibilities are delegated;

  3. (3)

    the specific roles and responsibilities of individual officers;

  4. (4)

    the timing, form and purpose of meetings of the committee of management and sub-committees, and the way in which policies and decisions are recorded and their implementation monitored.

CRED 4.3.31G

The documentation of IT controls should be integrated within the overall documentation of a credit union's system of control.

Accounting records and systems

CRED 4.3.32G

SYSC 3.2.20 R requires that a credit union takes reasonable care to make and retain adequate records of all matters governed by the Act, secondary legislation under the Act, or rules (including accounting records). These records must be capable of being reproduced in the English language and on paper.

CRED 4.3.33G

A credit union should have appropriate systems in place to fulfil its obligations with respect to adequacy, access, periods of retention, and security of records.

CRED 4.3.34G

The main reasons why a credit union should maintain adequate accounting and other records are:

  1. (1)

    to provide the committee of management with adequate financial and other information to enable them to conduct its business in a prudent manner on a day-to-day basis;

  2. (2)

    to safeguard the assets of the credit union and the interests of members and persons too young to be members (see CRED 7.3.2 G);

  3. (3)

    to assist officers of the credit union to fulfil their regulatory and statutory duties in relation to the preparation of annual accounts;

  4. (4)

    to provide the committee of management with sufficient timely and accurate information to assist them to submit the information required or requested by the FSA.

CRED 4.3.35G

When forming their opinion of whether the accounting and other records are adequate, the committee of management should satisfy themselves that they capture and record on a timely basis, and in an orderly fashion, every transaction. They should provide sufficient information in respect of each transaction to explain:

  1. (1)

    its nature and purpose;

  2. (2)

    the asset or liability, actual and contingent, which arises (or may arise) from it;

  3. (3)

    the income or expenditure, current and deferred, which arises from it.

CRED 4.3.36G

The committee of management must be satisfied that the records are maintained in an integrated and orderly manner to disclose, with reasonable accuracy and promptness, the state of the business at any time.

3Systems and controls in relation to compliance and financial crime3

CRED 4.3.37G

SYSC 3.2.6 R requires all credit unions to take reasonable care to establish and maintain effective systems and controls for compliance with all regulatory requirements (in other words, the relevant Acts, secondary legislation, and rules) and for countering the risk of financial crime.

CRED 4.3.37AG

3SYSC 3.2.6A R and requiresa credit union to ensure that these systems and controls:

  1. (1)

    enable it to identify, assess, monitor and manage money laundering risk; and

  2. (2)

    are comprehensive and proportionate to the nature, scale and complexity of that credit union's activities.

CRED 4.3.37BG

3'Money laundering risk' is the risk that a credit union may be used to further money laundering. Failure by a credit union to manage this risk effectively will increase the risk to society of crime and terrorism.

CRED 4.3.37CG

3SYSC 3.2.6C R requires a credit union to carry out regular assessments of the adequacy of these systems and controls to ensure that they continue to meet this requirement.

CRED 4.3.37DG

3A credit union may also have separate obligations to comply with relevant legal requirements, including the Terrorism Act 2000, the Proceeds of Crime Act 2002 and the Money Laundering Regulations. SYSC 3.2.6 R to 3.2.6J G are not relevant guidance for the purposes of regulation 3(3) of the Money Laundering Regulations, section 330(8) of the Proceeds of Crime Act 2002 or section 21A(6) of the Terrorism Act 2000.

CRED 4.3.37EG

3The FSA, when considering whether a breach of its rules on systems and controls against money laundering has occurred, will have regard to whether a credit union has followed relevant provisions in guidance for the UK financial sector issued by the Joint Money Laundering Steering Group.

CRED 4.3.37FG

3In identifying its money laundering risk and in establishing the nature of these systems and controls, a credit union should consider a range of factors, including:

  1. (1)

    its customer, product and activity profile;

  2. (2)

    its distribution channels;

  3. (3)

    the complexity and volume of its transactions;

  4. (4)

    its processes and systems; and

  5. (5)

    its operating environment.

CRED 4.3.37GG

3A credit union should ensure that these systems and controls include:

  1. (1)

    appropriate training for that credit union's employees in relation to money laundering;

  2. (2)

    appropriate provision of information to that credit union's governing body and senior management, including a report at least annually by that credit union's money laundering reporting officer on the operation and effectiveness of those systems and controls;

  3. (3)

    appropriate documentation of that credit union's risk management policies and risk profile in relation to money laundering, including documentation of that credit union's application of those policies (see SYSC 3.2.20 R to SYSC 3.2.22 G);

  4. (4)

    appropriate measures to ensure that money laundering risk is taken into account in the day-to-day operation of that credit union, including in relation to:

    1. (a)

      the development of new products;

    2. (b)

      the taking-on of new customers; and

    3. (c)

      changes in its business profile; and

  5. (5)

    appropriate measures to ensure that procedures for identification of new customers do not unreasonably deny access to that credit union's services to potential customers who cannot reasonably be expected to produce detailed evidence of identity.

CRED 4.3.37HG

3SYSC 3.2.6H R requires a credit union to allocate to a director or senior manager (who may also be the money laundering reporting officer) overall responsibility within the credit union for the establishment and maintenance of effective anti-money laundering systems and controls.

3The money laundering reporting officer

CRED 4.3.37IG

3SYSC 3.2.6I R requires a credit union to:

  1. (1)

    appoint a money laundering reporting officer, who shall be responsible for oversight of that credit union's compliance with the FSA's rules on systems and controls against money laundering; and

  2. (2)

    ensure that its money laundering reporting officer has a level of authority and independence within that credit union and access to resources and information sufficient to enable him to carry out that responsibility.

CRED 4.3.37JG

3The job of the money laundering reporting officer within a credit union is to act as the focal point for all activity within that credit union relating to anti-money laundering. The FSA expects that a credit union's money laundering reporting officer will be based in the United Kingdom.

3The compliance function

CRED 4.3.37KG

3Depending on the nature, scale and complexity of its business, it may be appropriate for a credit union to have a separate compliance function. The organisation and responsibilities of a compliance function should be documented. A compliance function should be staffed by an appropriate number of competent staff who are sufficiently independent to perform their duties objectively. It should be adequately resourced and should have unrestricted access to the credit union's relevant records as well as ultimate recourse to its governing body.

CRED 4.3.38G

Guidance on compliance is located in 35SYSC 3.2.8 R35 - SYSC 3.2.9 G5.5

CRED 4.3.39G

SYSC 3.2.8 R is unlikely to be relevant to a credit union as it is relevant only to firms carrying on designated investment business.

CRED 4.3.40G

Some important compliance issues include:

  1. (1)

    insurance against fraud and dishonesty;

  2. (2)

    arrangements for the prevention, detection and reporting of money laundering;

  3. (3)

    establishing and maintaining a satisfactory system of control;

  4. (4)

    keeping proper books of account;

  5. (5)

    computation and application of profits;

  6. (6)

    investment of surplus funds;

  7. (7)

    capital requirements;

  8. (8)

    liquidity requirements;

  9. (9)

    limits on shares and loans;

  10. (10)

    maintenance of membership records;

  11. (11)

    submission of financial reports to the regulator;

  12. (12)

    approved persons regime;

  13. (13)

    payment of regulatory fees.

Management information

CRED 4.3.41G

Guidance on management information is located in SYSC 3.2.11 GSYSC 3.2.12 G.

CRED 4.3.42G

A credit union should maintain information systems to enable the committee of management to direct and control the credit union's business effectively, and to provide the information required by the FSA.

CRED 4.3.43G

The committee of management should be satisfied that:

  1. (1)

    the information available is sufficient for the proper assessment of the potential risks for the credit union, and in order to determine its need for capital and liquidity;

  2. (2)

    the information available is sufficiently comprehensive to provide a clear statement of the performance and financial position of the credit union;

  3. (3)

    management information reports are prepared with sufficient frequency;

  4. (4)

    sufficient attention is focused on key factors affecting income and expenditure and that appropriate performance indicators are employed;

  5. (5)

    actual performance is compared with planned and prior performance.

CRED 4.3.44G

In forming a view on whether the management information system is sufficiently comprehensive, the committee of management should consider whether, where relevant, the substance of reports provides a clear statement of:

  1. (1)

    the capital position;

  2. (2)

    the liquidity position;

  3. (3)

    profits and losses, assets and liabilities, and flow of funds;

  4. (4)

    loans, arrears, and provisions.

CRED 4.3.45G

The matters listed in CRED 4.3.44 G should be compared against limits, ratios and other parameters set by the committee of management, as well as regulatory requirements.

Information for the FSA

CRED 4.3.46G

Information reported to the FSA should be accurate and timely. Credit unions are required to complete returns as set out in CRED 14.10, and submit them within the specified timetable. Returns should be reviewed prior to their submission to the FSA at a sufficiently senior level. The review should check for consistency between different returns, between various tables on the same return, and between information prepared for the committee of management.

Personnel

CRED 4.3.47G

Guidance on employees and agents is located in SYSC 3.2.13 G - SYSC 3.2.14 G.

CRED 4.3.48G

A credit union should identify present and future staffing requirements (including volunteers and paid staff) and make appropriate plans for their recruitment and training.

CRED 4.3.49G

A credit union should have appropriate systems and controls in place to satisfy itself as to the suitability of its staff, including the competence and honesty of such staff. Any assessment of suitability should take into account the nature of the position and the level of responsibility that the individual would hold.

Internal Audit

CRED 4.3.50G

CRED 4.3.11 E states that a credit union should have an internal audit function (see also CRED 4.3.12 G)4.

4
CRED 4.3.51G

Guidance on internal audit and audit committees (otherwise known as the supervisory committee) is located in SYSC 3.2.15 G - SYSC 3.2.16 G.

CRED 4.3.52G

Depending upon the scale and nature of the credit union's activities, it may be appropriate for the audit committee to delegate the task of monitoring the effectiveness and appropriateness of its systems and controls to an employee or other third party.

CRED 4.3.53G

The purposes of an internal audit are:

  1. (1)

    to ensure that the policies and procedures of the credit union are followed;

  2. (2)

    to provide the committee of management with a continuous appraisal of the overall effectiveness of the control systems, including proposed changes;

  3. (3)

    to recommend improvements where desirable or necessary;

  4. (4)

    to determine whether the internal controls established by the committee of management are being maintained properly and operated as laid down in the policy, and comply with relevant Acts, secondary legislation, rules, policies and procedures;

  5. (5)

    to ensure that accounting records are prepared promptly and accurately, and that they are in order;

  6. (6)

    to assess whether financial and operating information supplied to the committee of management is accurate, pertinent, timely, and complete.

CRED 4.3.54G

The internal audit function (see CRED 4.3.12 G)4 should develop an audit plan, covering all aspects of the credit union's business. The audit plan should identify the scope and frequency of work to be carried out in each area. Areas identified as higher risk should be covered more frequently. However, over a set time frame (likely to be one year) all areas should be covered. Care should be taken to avoid obvious patterns of checking.

4
CRED 4.3.55G

The internal audit work programme should include items such as:

  1. (1)

    verification of cash (counting and reconciliation) without prior notification;

  2. (2)

    bank reconciliation (checking records against bank statements);

  3. (3)

    verification of passbooks or account statements;

  4. (4)

    checking for compliance with policies and procedures;

  5. (5)

    checking for compliance with relevant Acts, secondary legislation and rules;

  6. (6)

    checking minutes and reports of the committee of management and other sub-committees for compliance, and assessing regularity and completeness;

  7. (7)

    checking loan applications;

  8. (8)

    verification of the credit union's assets and investments.

CRED 4.3.56G

The key elements of a satisfactory system of internal audit include the following:

  1. (1)

    Terms of reference. These should be specified with precision and include, amongst other things, scope and objectives of the audit committee and the internal audit function (see CRED 4.3.12 G)4, access to records, powers to obtain information and explanations for officers, and reporting requirements. These should be approved by the committee of management.

    4
  2. (2)

    Risk analysis. Key risks in each area of the credit union's business should be identified. The adequacy of the specific controls put in place to address those risks should be assessed.

  3. (3)

    Internal audit plan. This should be developed on the basis of the risk analysis.

  4. (4)

    Detailed programmes. These should be based on the internal audit plan, together with the controls and their objectives specified in the control documentation. Each programme should be comprehensive, specifying the frequency with which the various parts of the programme are to be carried out and how the work is to be performed.

  5. (5)

    Working papers. These should be maintained to evidence who performed the work, how it was controlled and supervised, and to record the conclusions reached. They should be cross referenced to reports made and action taken.

  6. (6)

    System of reporting. Formal reports should be submitted at the completion of each aspect of programmed work, stating the areas covered together with any recommendations and conclusions reached.

CRED 4.3.57G

The internal audit function (see CRED 4.3.12 G)4 should be independent of all of the functions it inspects.

4
CRED 4.3.58G

The committee of management should be satisfied that the status and reporting relationship of the chair of the audit committee is sufficient to maintain the independence and objectivity of the function.

CRED 4.3.59G

The qualifications, experience and training of individuals performing the internal audit function (see CRED 4.3.12 G)4 should be adequate in relation to its objectives.

4
CRED 4.3.60G

The committee of management should be satisfied that the internal audit function (see CRED 4.3.12 G)4 is being properly carried out. In order to review the overall effectiveness of the internal audit function4 it should consider the following:

44
  1. (1)

    the adequacy and scope of planning;

  2. (2)

    the adequacy and scope of work performed in relation to the plans and programmes;

  3. (3)

    the regularity and level of reporting on matters arising from the inspections;

  4. (4)

    the disposal of points and recommendations raised, and reasons for the rejection of any major points;

  5. (5)

    a review of the overall effectiveness of the internal audit function4.

    4

Business planning

CRED 4.3.61G

CRED 4.3.5 R requires that a credit union maintains a current business plan.

CRED 4.3.62G

Version 2 credit unions should submit a copy of their business plan to the FSA. A version 2 credit union making any significant changes to the business plan should provide the FSA with a copy of the amended plan as soon as possible after it has been adopted.

CRED 4.3.63G

Guidance on business strategy is located in SYSC 3.2.17 G.

CRED 4.3.64G

The committee of management should have a satisfactory planning system to provide a framework for growth and development of the credit union, and to enable it to identify, measure, manage and control risks of regulatory concern.

CRED 4.3.65G

The business plan should cover a period of three years from the current financial year, that is to say, the remainder of the current financial year and the two following financial years2.

CRED 4.3.66G

The planning system should be defined clearly, documented appropriately, and planning related tasks and decision making responsibilities allocated clearly within the credit union.

CRED 4.3.67G

The conclusions, recommendations, projections and assumptions set out in the business plan should be supported by analysis, based on adequate data, and properly documented for comparison with actuals.

CRED 4.3.68G

The committee of management should consider the range of possible outcomes in relation to various risks. These risks are increased when a credit union provides ancillary services like issuing and administering means of payment and money transmission, which result, in particular, in higher liquidity and operational risks.1

Documentation of policies and procedures

CRED 4.3.69G

CRED 4.3.7 R requires that a credit union maintains a manual of its policies and procedures.

CRED 4.3.70G

Version 2 credit unions should submit a copy of their policy and procedures manual to the FSA. A version 2 credit union making any significant changes to their policies or procedures should provide the FSA with a copy of the amended manual as soon as possible after it has been adopted.

CRED 4.3.71G

The policy and procedures manual should cover all aspects of the credit union's operations, including matters such as:

  1. (1)

    cash handling and disbursements;

  2. (2)

    collection procedures;

  3. (3)

    lending - including large exposures (see CRED 10.1 - CRED 10.5);

  4. (4)

    arrears management (see CRED 10.2.8 G - CRED 10.2.9 G);

  5. (5)

    provisioning (see CRED 10.5);

  6. (6)

    liquidity management (see CRED 9);

  7. (7)

    financial risk management (see CRED 7);

  8. (8)

    money laundering prevention (see CRED 4.3.37 G and SYSC 3.23);

    3
  9. (9)

    internal audit (see CRED 4.3.50 G - CRED 4.3.60 G);

  10. (10)

    information technology (see CRED 4.3.31 G);

  11. (11)

    business continuity - otherwise known as disaster recovery (see CRED 4.3.72 G - CRED 4.3.74 G);

  12. (12)

    marketing;

  13. (13)

    training;

  14. (14)

    connected persons and managing conflicts of interest (see CRED 4.3.27 G);

  15. (15)

    complaints handling (see CRED 17).

Business continuity

CRED 4.3.72G

Guidance on business continuity is located in SYSC 3.2.19 G.

CRED 4.3.73G

A credit union should put in place contingency arrangements to ensure that it could continue to operate and meet its regulatory requirements in the event of an unforeseen interruption that may otherwise prevent the credit union from operating normally. (For example, if there was a complete failure of IT systems or if the premises were destroyed by fire).

CRED 4.3.74G

Business continuity arrangements should be reviewed and tested regularly in order to ensure their effectiveness.