REC 2.5 Systems and controls and conflicts

In assessing whether the systems and controls used by a UK recognised body in the performance of its relevant functions are adequate and appropriate for the scale and nature of its business, the FCA3 may have regard to the UK recognised body's:

1. (1)

   arrangements for managing, controlling and carrying out its relevant functions, including:

   1. (a)

      the distribution of duties and responsibilities among its key individuals and the departments of the UK recognised body responsible for performing its relevant functions;

   2. (b)

      the staffing and resources of the departments of the UK recognised body responsible for performing its relevant functions;

   3. (c)

      the arrangements made to enable key individuals to supervise the departments for which they are responsible;

   4. (d)

      the arrangements for appointing and supervising the performance of key individuals (and their departments); and

   5. (e)

      the arrangements by which the governing body is able to keep the allocation of responsibilities between, and the appointment, supervision and remuneration of, key individuals under review;

2. (2)

   arrangements for the identification and 2management of conflicts of interest;

3. (3)

   arrangements for internal and external audit; and

4. (4)

   information technology systems.

The following paragraphs set out other matters to which the FCA3 may have regard in assessing the systems and controls used for the transmission of information, risk management, the effecting and monitoring of transactions, the operation of settlement arrangements (the matters covered in paragraph 4(2)(d) of the Schedule to the Recognition Requirements Regulations) and the safeguarding and administration of assets .

In assessing a UK recognised body's systems and controls for the transmission of information, the FCA3 may also have regard to the extent to which these systems and controls ensure that information is transmitted promptly and accurately:

1. (1)

   within the UK recognised body itself;

2. (2)

   to members; and

3. (3)

   (where appropriate) to other market participants or other relevant persons.

In assessing a UK recognised body's systems and controls for assessing and managing risk, the FCA3 may also have regard to the extent to which these systems and controls enable the UK recognised body to:

1. (1)

   identify all the general, operational, legal and market risks wherever they arise in its activities;

2. (2)

   measure and control the different types of risk;

3. (3)

   allocate responsibility for risk management to persons with appropriate knowledge and expertise; and

4. (4)

   provide sufficient, reliable information to key individuals and, where relevant, the governing body of the UK recognised body.

In assessing a UK RIE's systems and controls for the effecting and monitoring of transactions, and for the operation of settlement arrangements, the FCA3 may have regard to the totality of the arrangements and processes through which the UK RIE's transactions are effected, cleared,3 and settled, including:

1. (1)

   a UK RIE's arrangements under which orders are received and matched, its arrangements for trade and transaction reporting, and (if relevant) its arrangements with another person under which any rights or liabilities arising from transactions are discharged including arrangements3 for transmission to a settlement system or clearing house;

   3
2. (2)

   (if relevant), a UK RIE's3 arrangements under which instructions relating to3 a transaction to be cleared by another person by means of a clearing facilitation service3 are entered into its systems by the relevant other person and transmitted to the other person; and3

   333
3. (3)

   the arrangements made by the UK RIE3 for monitoring and reviewing the operation of these systems and controls.

   3

In assessing a UK recognised body's systems and controls for the safeguarding and administration of assets belonging to users of its facilities, the FCA3 may have regard to the totality of the arrangements and processes by which the UK recognised body:

1. (1)

   records the assets held and the identity of the owners of (and other persons with relevant rights over) those assets;

2. (2)

   records any instructions given in relation to those assets;

3. (3)

   records the carrying out of those instructions;

4. (4)

   records any movements in those assets (or any corporate actions or other events in relation to those assets); and

5. (5)

   reconciles its records of assets held with the records of any custodian or sub-custodian used to hold these assets, and with the records of beneficial or legal ownership of those assets.

A conflict of interest arises in a situation where a person with responsibility to act in the interests of one person may be influenced in his action by an interest or association of his own, whether personal or business or employment related. Conflicts of interest can arise both for the employees of UK recognised bodies and for the members (or other persons) who may be involved in the decision-making process, for example where they belong to committees or to the governing body. Conflicts of interest may also arise for the UK recognised body itself as a result of its connection with another person.

The FCA3 recognises that a UK RIE3 has legitimate interests of its own and that its general business policy may properly be influenced by other persons (such as its owners). Such a connection does not necessarily imply the existence of a conflict of interest nor is it necessary to exclude individuals closely connected with other persons (for example, those responsible for the stewardship of the owner's interests) from all decision-making processes in a UK recognised body. However, there may be decisions, primarily regulatory decisions, from which it may be appropriate to exclude an individual in certain circumstances where an interest, position or connection of his conflicts with the interest of the recognised body.

REC 2.5.13 G to REC 2.5.16 G set out the factors to which the FCA3 may have regard in assessing a UK recognised body's systems and controls for managing conflicts of interest.

The FCA3 may have regard to the arrangements a UK recognised body makes to structure itself and to allocate responsibility for decisions so that it can continue to take proper regulatory decisions notwithstanding any conflicts of interest, including:

1. (1)

   the size and composition of the governing body and relevant committees;

2. (2)

   the roles and responsibilities of key individuals, especially where they also have responsibilities in other organisations;

3. (3)

   the arrangements for transferring decisions or responsibilities to alternates in individual cases; and

4. (4)

   the arrangements made to ensure that individuals who may have a permanent conflict of interest in certain circumstances are excluded from the process of taking decisions (or receiving information) about matters in which that conflict of interest would be relevant.

The FCA3 may also have regard to the systems and controls intended to ensure that confidential information is only used for proper purposes. Where relevant, recognised bodies will have to comply with section 348 (Restrictions on disclosure of confidential information by the FCA3 etc.) and regulations made under section 349 (Exemptions from section 348) of the Act.

The FCA3 may also have regard to the contracts of employment, staff rules, letters of appointment for members of the governing body, members of relevant committees and other key individuals and other guidance given to individuals on handling conflicts of interest. Guidance to individuals may need to cover:

1. (1)

   the need for prompt disclosure of a conflict of interest to enable others, who are not affected by the conflict, to assist in deciding how it should be managed;

2. (2)

   the circumstances in which a general disclosure of conflicts of interest in advance of any particular instance in which a conflict of interest arises may be sufficient;

3. (3)

   the circumstances in which a general advance disclosure may not be adequate;

4. (4)

   the circumstances in which it would be appropriate for a conflicted individual to withdraw from involvement in the matter concerned, without disclosing the interest; and

5. (5)

   the circumstances in which safeguards in addition to disclosure would be required, such as the withdrawal of the individual from the decision-taking process, or from access to relevant information.

The FCA3 may also have regard to the arrangements made:

1. (1)

   for enforcing rules or other provisions applicable to staff and other persons involved in regulatory decisions; and

2. (2)

   to keep records of disclosures of conflicts of interest and the steps taken to handle them.

A UK recognised body's arrangements for internal and external audit will be an important part of its systems and controls. In assessing the adequacy of these arrangements, the FCA3 may have regard to:

1. (1)

   the size, composition and terms of reference of any audit committee of the UK recognised body'sgoverning body;

2. (2)

   the frequency and scope of external audit;

3. (3)

   the provision and scope of internal audit;

4. (4)

   the staffing and resources of the UK recognised body's internal audit department;

5. (5)

   the internal audit department's access to the UK recognised body's records and other relevant information; and

6. (6)

   the position, responsibilities and reporting lines of the internal audit department and its relationship with other departments of the UK recognised body.

Information technology is likely to be a major component of the systems and controls used by any UK recognised body. In assessing the adequacy of the information technology used by a UK recognised body to perform or support its relevant functions, the FCA3 may have regard to:

1. (1)

   the organisation, management and resources of the information technology department within the UK recognised body;

2. (2)

   the arrangements for controlling and documenting the design, development, implementation and use of information technology systems; and

3. (3)

   the performance, capacity and reliability of information technology systems.

The FCA3 may also have regard to the arrangements for maintaining, recording and enforcing technical and operational standards and specifications for information technology systems, including:

1. (1)

   the procedures for the evaluation and selection of information technology systems;

2. (2)

   the arrangements for testing information technology systems before live operations;

3. (3)

   the procedures for problem management and system change;

4. (4)

   the arrangements to monitor and report system performance, availability and integrity;

5. (5)

   the arrangements (including spare capacity and access to back-up facilities) made to ensure information technology systems are resilient and not prone to failure;

6. (6)

   the arrangements made to ensure business continuity in the event that an information technology system does fail;

7. (7)

   the arrangements made to protect information technology systems from damage, tampering, misuse or unauthorised access; and

8. (8)

   the arrangements made to ensure the integrity of data forming part of, or being processed through, information technology systems.

The FCA3 may have regard to the arrangements made to keep clear and complete audit trails of all uses of information technology systems and to reconcile (where appropriate) the audit trails with equivalent information held by system users and other interested parties.