PRU 8.1 1 Group risk systems and controls requirement
Application
Subject to PRU 8.1.3 R to PRU 8.1.5 R, PRU 8.1 applies to each of the following which is a member of a group:
-
(1)
a firm that falls into any of the following categories:
- (a)
- (b)
a bank, ELMI or building society;
- (c)
an insurer;
- (d)
- (e)
- (f)
a UCITS investment firm; and
- (g)
a broker/manager or an arranger that satisfies the following conditions:
- (i)
it is an ISD investment firm; and
- (ii)
it is not an exempt CAD firm;
- (i)
-
(2)
a UCITS firm, but only if its group contains a firm falling into (1); and
-
(3)
the Society.
Except as set out in PRU 8.1.5 R, PRU 8.1 applies with respect to different types of group as follows:
-
(1)
PRU 8.1.9 R and PRU 8.1.11 R apply with respect to all groups, including FSA regulated EEA financial conglomerates, other financial conglomerates and groups dealt with in PRU 8.1.14 R and PRU 8.1.15 R;
-
(2)
the additional requirements set out in PRU 8.1.12 R and PRU 8.1.13 R only apply with respect to FSA regulated EEA financial conglomerates; and
-
(3)
the additional requirements set out in PRU 8.1.14 R and PRU 8.1.15 R only apply with respect to groups of the kind dealt with by whichever of those rules apply.
PRU 8.1 does not apply to:
-
(1)
an incoming EEA firm; or
-
(2)
an incoming Treaty firm; or
-
(3)
a UCITS qualifier; or
-
(4)
an ICVC.
A venture capital firm that would otherwise be included in PRU 8.1.1 R (1)(d) to PRU 8.1.1 R (1)(g) is excluded from those rules if it is not an ISD investment firm.
-
(1)
This rule applies to:
- (a)
- (b)
PRU 8.1.11 R (1), so far as it relates to PRU 8.1.9 R (2);
- (c)
PRU 8.1.11 R (2); and
- (d)
-
(2)
The rules referred to in (1):
- (a)
only apply with respect to a financial conglomerate if it is an FSA regulated EEA financial conglomerate;
- (b)
(so far as they apply with respect to a group that is not a financial conglomerate) do not apply with respect to a group for which a competent authority in another EEA state is lead regulator;
- (c)
(so far as they apply with respect to a financial conglomerate) do not apply to a firm with respect to a financial conglomerate of which it is a member if the interest of the financial conglomerate in that firm is no more than a participation;
- (d)
(so far as they apply with respect to other groups) do not apply to a firm with respect to a group of which it is a member if the only relationship of the kind set out in paragraph (3) of the definition of group between it and the other members of the group is nothing more than a participation; and
- (e)
do not apply with respect to a third-country group.
- (a)
For the purposes of PRU 8.1, a group is defined in the Glossary, and includes the whole of a firm's group, including financial and non-financial undertakings. It also covers undertakings with other links to group members if their omission from the scope of group risk systems and controls would be misleading. The scope of the group systems and controls requirements may therefore differ from the scope of the quantitative requirements for groups.
Purpose
The purpose of this chapter is to set out how systems and controls requirements apply where a firm is part of a group. SYSC 3.1 (Systems and controls) requires a firm to take reasonable care to establish and maintain such systems and controls as are appropriate to the nature, scale and complexity of its business. If a firm is a member of a group, it should be able to assess the potential impact of risks arising from other parts of its group as well as from its own activities.
PRU 8.1 implements Articles 52(6) (Supervision on a consolidated basis of credit institutions) and 55a (Intra-group transactions with mixed activity holding companies) of the Banking Consolidation Directive, Article 9 of the Financial Groups Directive (Internal control mechanisms and risk management processes) and Article 8 of the Insurance Groups Directive (Intra-group transactions).
General rules
A firm must:
-
(1)
have adequate, sound and appropriate risk management processes and internal control mechanisms for the purpose of assessing and managing its own exposure to group risk, including sound administrative and accounting procedures; and
-
(2)
ensure that its group has adequate, sound and appropriate risk management processes and internal control mechanisms at the level of the group, including sound administrative and accounting procedures.
For the purposes of PRU 8.1.9 R, the question of whether the risk management processes and internal control mechanisms are adequate, sound and appropriate should be judged in the light of the nature, scale and complexity of the group's business.
The internal control mechanisms referred to in PRU 8.1.9 R must include:
-
(1)
mechanisms that are adequate for the purpose of producing any data and information which would be relevant for the purpose of monitoring compliance with any prudential requirements (including any reporting requirements and any requirements relating to capital adequacy, solvency and large exposures):
-
(2)
mechanisms that are adequate to monitor funding within the group.
Financial conglomerates
Where PRU 8.1 applies with respect to a financial conglomerate, the risk management processes referred to in PRU 8.1.9 R (2) must include:
-
(1)
sound governance and management processes, which must include the approval and periodic review by the appropriate managing bodies within the financial conglomerate of the strategies and policies of the financial conglomerate in respect of all the risks assumed by the financial conglomerate, such review and approval being carried out at the level of the financial conglomerate;
-
(2)
adequate capital adequacy policies at the level of the financial conglomerate, one of the purposes of which must be to anticipate the impact of the business strategy of the financial conglomerate on its risk profile and on the capital adequacy requirements to which it and its members are subject;
-
(3)
adequate procedures for the purpose of ensuring that the risk monitoring systems of the financial conglomerate and its members are well integrated into their organisation; and
-
(4)
adequate procedures for the purpose of ensuring that the systems and controls of the members of the financial conglomerate are consistent and that the risks can be measured, monitored and controlled at the level of the financial conglomerate.
Where PRU 8.1 applies with respect to a financial conglomerate, the internal control mechanisms referred to in PRU 8.1.9 R (2) must include:
-
(1)
mechanisms that are adequate to identify and measure all material risks incurred by members of the financial conglomerate and appropriately relate capital in the financial conglomerate to risks; and
-
(2)
sound reporting and accounting procedures for the purpose of identifying, measuring, monitoring and controlling intra-group transactions and risk concentrations.
Credit institutions and investment firms
In the case of a firm that:
-
(1)
is a credit institution or investment firm; and
-
(2)
has a mixed-activity holding company as a parent undertaking;
the risk management processes and internal control mechanisms referred to in PRU 8.1.9 R must include sound reporting and accounting procedures and other mechanisms that are adequate to identify, measure, monitor and control transactions between the firm's parent undertaking mixed-activity holding company and any of the mixed-activity holding company's subsidiary undertakings.
Insurance undertakings
In the case of an insurer that has a mixed-activity insurance holding company as a parent undertaking, the risk management processes and internal control mechanisms referred to in PRU 8.1.9 R must include sound reporting and accounting procedures and other mechanisms that are adequate to identify, measure, monitor and control transactions between the firm's parent undertaking mixed-activity insurance holding company and any of the mixed-activity insurance holding company's subsidiary undertakings.
PRU 8.1.14 R cannot apply to a building society as it cannot have a mixed-activity holding company as a parent undertaking. PRU 8.1.15 R cannot apply to a friendly society as it cannot have a mixed-activity insurance holding company as a parent undertaking.
Nature and extent of requirements and allocation of responsibilities within the group
The nature and extent of the systems and controls necessary under PRU 8.1.9 R (1) to address group risk will vary according to the materiality of those risks to the firm and the position of the firm within the group.
In some cases the management of the systems and controls used to address the risks described in PRU 8.1.9 R (1) may be organised on a group-wide basis. If the firm is not carrying out those functions itself, it should delegate them to the group members that are carrying them out. However, this does not relieve the firm of responsibility for complying with its obligations under PRU 8.1.9 R (1). A firm cannot absolve itself of such a responsibility by claiming that any breach of that rule is caused by the actions of another member of the group to whom the firm has delegated tasks. The risk management arrangements are still those of the firm, even though personnel elsewhere in the firm'sgroup are carrying out these functions on its behalf.
PRU 8.1.9 R (1) deals with the systems and controls that a firm should have in respect of the exposure it has to the rest of the group. On the other hand, the purpose of PRU 8.1.9 R (2) and the rules in PRU 8.1 that amplify it is to require groups to have adequate systems and controls. However a group is not a single legal entity on which obligations can be imposed. Therefore the obligations have to be placed on individual firms. The purpose of imposing the obligations on each firm in the group is to make sure that the FSA can take supervisory action against any firm in a group whose systems and controls do not meet the standards in PRU 8.1 Thus responsibility for compliance with the rules for group systems and controls is a joint one.
If both a firm and its parent undertaking are subject to PRU 8.1.9 R (2), the FSA would not expect systems and controls to be duplicated. In this case, the firm should assess whether and to what extent it can rely on its parent's group risk systems and controls.