REC 2.5 Systems and controls
Schedule to the Recognition Requirements Regulations, paragraph 3
(1) |
The [UK RIE] must ensure that the systems and controls used in the performance of its [relevant functions] are adequate, and appropriate for the scale and nature of its business. |
|
(2) |
Sub-paragraph (1) applies in particular to systems and controls concerning - |
|
(a) |
the transmission of information; |
|
(b) |
the assessment and management of risks to the performance of the [UK RIE'srelevant functions]; |
|
(c) |
the effecting and monitoring of transactions on the [UK RIE]; |
|
(d) |
the operation of the arrangements mentioned in paragraph 4(2)(d); and |
|
(e) |
(where relevant) the safeguarding and administration of assets belonging to users of the [UK RIE's] facilities.1 |
Schedule to the Recognition Requirements Regulations, paragraph 18
(1) |
The [UK RCH] must ensure that the systems and controls used in the performance of its [relevant functions] are adequate, and appropriate for the scale and nature of its business. |
|
(2) |
This requirement applies in particular to systems and controls concerning- |
|
(a) |
the transmission of information; |
|
(b) |
the assessment and management of risks to the performance of the [UK RCH'srelevant functions]; |
|
(c) |
the operation of the arrangements mentioned in paragraph 19(2)(b); and |
|
(c) |
(where relevant) the safeguarding and administration of assets belonging to users of the [UK RCH's] facilities.1 |
In assessing whether the systems and controls used by a UK recognised body in the performance of its relevant functions are adequate and appropriate for the scale and nature of its business, the FSA may have regard to the UK recognised body's:
- (1)
arrangements for managing, controlling and carrying out its relevant functions, including:
- (a)
the distribution of duties and responsibilities among its key individuals and the departments of the UK recognised body responsible for performing its relevant functions;
- (b)
the staffing and resources of the departments of the UK recognised body responsible for performing its relevant functions;
- (c)
the arrangements made to enable key individuals to supervise the departments for which they are responsible;
- (d)
the arrangements for appointing and supervising the performance of key individuals (and their departments); and
- (e)
the arrangements by which the governing body is able to keep the allocation of responsibilities between, and the appointment, supervision and remuneration of, key individuals under review;
- (a)
- (2)
arrangements for the management of conflicts of interest;
- (3)
arrangements for internal and external audit; and
- (4)
information technology systems.
The following paragraphs set out other matters to which the FSA may have regard in assessing the systems and controls used for the transmission of information, risk management, the effecting and monitoring of transactions, the operation of settlement arrangements (the matters covered in paragraphs 4(2)(d) and 19(2)(b) of the Schedule to the Recognition Requirements Regulations) and the safeguarding and administration of assets .
Information transmission
In assessing a UK recognised body's systems and controls for the transmission of information, the FSA may also have regard to the extent to which these systems and controls ensure that information is transmitted promptly and accurately:
- (1)
within the UK recognised body itself;
- (2)
to members; and
- (3)
(where appropriate) to other market participants or other relevant persons.
Risk management
In assessing a UK recognised body's systems and controls for assessing and managing risk, the FSA may also have regard to the extent to which these systems and controls enable the UK recognised body to:
- (1)
identify all the general, operational, legal and market risks wherever they arise in its activities;
- (2)
measure and control the different types of risk;
- (3)
allocate responsibility for risk management to persons with appropriate knowledge and expertise; and
- (4)
provide sufficient, reliable information to key individuals and, where relevant, the governing body of the UK recognised body.
Where the UK recognised body assumes significant counterparty risk (for example, by acting as a central counterparty), the FSA may also have regard to:
- (1)
the position of the risk management department within the UK recognised body, including its access to the governing body and its relationship with the commercial or marketing departments of the UK recognised body;
- (2)
the frequency with which all exposures and risks incurred by the UK recognised body are monitored against risk or exposure limits or other appropriate control parameters;
- (3)
the frequency with which risk or exposure limits (or other control parameters) are reviewed;
- (4)
the reliability of the arrangements for monitoring and assessing intra-day movements in exposures and risks;
- (5)
the robustness of the arrangements for calculating, collecting and holding margin payments and the allocation of losses; and
- (6)
the arrangements for stress testing of the adequacy of the UK recognised body's financial resources to cover its exposures which may arise, for example, with substantial movements in market values or counterparty defaults.
Effecting and monitoring of transactions and operation of settlement arrangements
In assessing a UK RIE's systems and controls for the effecting and monitoring of transactions, and the systems and controls used by a UK recognised body for the operation of settlement arrangements, the FSA may have regard to the totality of the arrangements and processes through which a transaction is effected, cleared and settled, including:
- (1)
a UK RIE's arrangements under which orders are received and matched, and its arrangements for trade and transaction reporting, and (if relevant) for transmission to a settlement system or clearing house;
- (2)
a UK recognised body's arrangements under which clearing and settlement instructions arising from a transaction are entered into its systems to the point at which any rights or liabilities arising from that transaction are discharged; and
- (3)
the arrangements made by the UK recognised body for monitoring and reviewing the operation of these systems and controls.
Safeguarding and administration of assets
In assessing a UK recognised body's systems and controls for the safeguarding and administration of assets belonging to users of its facilities, the FSA may have regard to the totality of the arrangements and processes by which the UK recognised body:
- (1)
records the assets held and the identity of the owners of (and other persons with relevant rights over) those assets;
- (2)
records any instructions given in relation to those assets;
- (3)
records the carrying out of those instructions;
- (4)
records any movements in those assets (or any corporate actions or other events in relation to those assets); and
- (5)
reconciles its records of assets held with the records of any custodian or sub-custodian used to hold these assets, and with the records of beneficial or legal ownership of those assets.
Management of conflicts of interest
A conflict of interest arises in a situation where a person with responsibility to act in the interests of one person may be influenced in his action by an interest or association of his own, whether personal or business or employment related. Conflicts of interest can arise both for the employees of UK recognised bodies and for the members (or other persons) who may be involved in the decision-making process, for example where they belong to committees or to the governing body. Conflicts of interest may also arise for the UK recognised body itself as a result of its connection with another person.
The FSA recognises that a UK recognised body has legitimate interests of its own and that its general business policy may properly be influenced by other persons (such as its owners). Such a connection does not necessarily imply the existence of a conflict of interest nor is it necessary to exclude individuals closely connected with other persons (for example, those responsible for the stewardship of the owner's interests) from all decision-making processes in a UK recognised body. However, there may be decisions, primarily regulatory decisions, from which it may be appropriate to exclude an individual in certain circumstances where an interest, position or connection of his conflicts with the interest of the recognised body.
REC 2.5.13 G to REC 2.5.16 G set out the factors to which the FSA may have regard in assessing a UK recognised body's systems and controls for managing conflicts of interest.
The FSA may have regard to the arrangements a UK recognised body makes to structure itself and to allocate responsibility for decisions so that it can continue to take proper regulatory decisions notwithstanding any conflicts of interest, including:
- (1)
the size and composition of the governing body and relevant committees;
- (2)
the roles and responsibilities of key individuals, especially where they also have responsibilities in other organisations;
- (3)
the arrangements for transferring decisions or responsibilities to alternates in individual cases; and
- (4)
the arrangements made to ensure that individuals who may have a permanent conflict of interest in certain circumstances are excluded from the process of taking decisions (or receiving information) about matters in which that conflict of interest would be relevant.
The FSA may also have regard to the systems and controls intended to ensure that confidential information is only used for proper purposes. Where relevant, recognised bodies will have to comply with section 348 (Restrictions on disclosure of confidential information by the FSA etc.) and regulations made under section 349 (Exemptions from section 348) of the Act.
The FSA may also have regard to the contracts of employment, staff rules, letters of appointment for members of the governing body, members of relevant committees and other key individuals and other guidance given to individuals on handling conflicts of interest. Guidance to individuals may need to cover:
- (1)
the need for prompt disclosure of a conflict of interest to enable others, who are not affected by the conflict, to assist in deciding how it should be managed;
- (2)
the circumstances in which a general disclosure of conflicts of interest in advance of any particular instance in which a conflict of interest arises may be sufficient;
- (3)
the circumstances in which a general advance disclosure may not be adequate;
- (4)
the circumstances in which it would be appropriate for a conflicted individual to withdraw from involvement in the matter concerned, without disclosing the interest; and
- (5)
the circumstances in which safeguards in addition to disclosure would be required, such as the withdrawal of the individual from the decision-taking process, or from access to relevant information.
Internal and external audit
A UK recognised body's arrangements for internal and external audit will be an important part of its systems and controls. In assessing the adequacy of these arrangements, the FSA may have regard to:
- (1)
the size, composition and terms of reference of any audit committee of the UK recognised body'sgoverning body;
- (2)
the frequency and scope of external audit;
- (3)
the provision and scope of internal audit;
- (4)
the staffing and resources of the UK recognised body's internal audit department;
- (5)
the internal audit department's access to the UK recognised body's records and other relevant information; and
- (6)
the position, responsibilities and reporting lines of the internal audit department and its relationship with other departments of the UK recognised body.
Information technology systems
Information technology is likely to be a major component of the systems and controls used by any UK recognised body. In assessing the adequacy of the information technology used by a UK recognised body to perform or support its relevant functions, the FSA may have regard to:
- (1)
the organisation, management and resources of the information technology department within the UK recognised body;
- (2)
the arrangements for controlling and documenting the design, development, implementation and use of information technology systems; and
- (3)
the performance, capacity and reliability of information technology systems.
The FSA may also have regard to the arrangements for maintaining, recording and enforcing technical and operational standards and specifications for information technology systems, including:
- (1)
the procedures for the evaluation and selection of information technology systems;
- (2)
the arrangements for testing information technology systems before live operations;
- (3)
the procedures for problem management and system change;
- (4)
the arrangements to monitor and report system performance, availability and integrity;
- (5)
the arrangements (including spare capacity and access to back-up facilities) made to ensure information technology systems are resilient and not prone to failure;
- (6)
the arrangements made to ensure business continuity in the event that an information technology system does fail;
- (7)
the arrangements made to protect information technology systems from damage, tampering, misuse or unauthorised access; and
- (8)
the arrangements made to ensure the integrity of data forming part of, or being processed through, information technology systems.