Related provisions for SYSC 3.2.1
1 - 20 of 87 items.
(1) The guidance relevant to delegation within the firm is also relevant to external delegation ('outsourcing'). A firm cannot contract out its regulatory obligations. So, for example, under Principle 3 a firm should take reasonable care to supervise the discharge of outsourced functions by its contractor.(2) A firm should take steps to obtain sufficient information from its contractor to enable it to assess the impact of outsourcing on its systems and controls.
5In identifying its money laundering risk and in establishing the nature of these systems and controls, a firm should consider a range of factors, including:(1) its customer, product and activity profiles;(2) its distribution channels;(3) the complexity and volume of its transactions;(4) its processes and systems; and(5) its operating environment.
5A firm should ensure that the systems and controls include:(1) appropriate training for its employees in relation to money laundering;(2) appropriate provision of information to its governing body and senior management, including a report at least annually by that firm'smoney laundering reporting officer (MLRO) on the operation and effectiveness of those systems and controls;(3) appropriate documentation of its risk management policies and risk profile in relation to money laundering,
5A firm must:(1) appoint an individual as MLRO, with responsibility for oversight of its compliance with the FSA'srules on systems and controls against money laundering; and(2) ensure that its MLRO has a level of authority and independence within the firm and access to resources and information sufficient to enable him to carry out that responsibility.
Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to form an audit committee. An audit committee could typically examine management's process for ensuring the appropriateness and effectiveness of systems and controls, examine the arrangements made by management to ensure compliance with requirements and standards under the regulatory system, oversee the functioning of the internal audit function (if applicable - see SYSC 3.2.16 G9)
9(1) Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to delegate much of the task of monitoring the appropriateness and effectiveness of its systems and controls to an internal audit function. An internal audit function should have clear responsibilities and reporting lines to an audit committee or appropriate senior manager, be adequately resourced and staffed by competent individuals, be independent of the day-to-day activities
A firm should have appropriate systems and controls in place to fulfil the firm's regulatory and statutory obligations with respect to adequacy, access, periods of retention and security of records. The general principle is that records should be retained for as long as is relevant for the purposes for which they are made.
Schedule to the Recognition Requirements Regulations, paragraph 32(1)The [UK RIE] must ensure that the systems and controls used in the performance of its [relevant functions] are adequate, and appropriate for the scale and nature of its business.(2)Sub-paragraph (1) applies in particular to systems and controls concerning -(a)the transmission of information;(b)the assessment, mitigation and management of risks to the performance of the [UK RIE'srelevant functions];(c)the effecting
In assessing whether the systems and controls used by a UK recognised body in the performance of its relevant functions are adequate and appropriate for the scale and nature of its business, the FSA may have regard to the UK recognised body's:(1) arrangements for managing, controlling and carrying out its relevant functions, including: (a) the distribution of duties and responsibilities among its key individuals and the departments of the UK recognised body responsible for performing
The following paragraphs set out other matters to which the FSA may have regard in assessing the systems and controls used for the transmission of information, risk management, the effecting and monitoring of transactions, the operation of settlement arrangements (the matters covered in paragraphs 4(2)(d) and 19(2)(b) of the Schedule to the Recognition Requirements Regulations) and the safeguarding and administration of assets .
In assessing a UK recognised body's systems and controls for assessing and managing risk, the FSA may also have regard to the extent to which these systems and controls enable the UK recognised body to:(1) identify all the general, operational, legal and market risks wherever they arise in its activities;(2) measure and control the different types of risk;(3) allocate responsibility for risk management to persons with appropriate knowledge and expertise; and(4) provide sufficient,
In assessing a UK RIE's systems and controls for the effecting and monitoring of transactions, and the systems and controls used by a UK recognised body for the operation of settlement arrangements, the FSA may have regard to the totality of the arrangements and processes through which a transaction is effected, cleared and settled, including:(1) a UK RIE's arrangements under which orders are received and matched, and its arrangements for trade and transaction reporting, and (if
In assessing a UK recognised body's systems and controls for the safeguarding and administration of assets belonging to users of its facilities, the FSA may have regard to the totality of the arrangements and processes by which the UK recognised body: (1) records the assets held and the identity of the owners of (and other persons with relevant rights over) those assets; (2) records any instructions given in relation to those assets;(3) records the carrying out of those instructions;(4)
The FSA may also have regard to the systems and controls intended to ensure that confidential information is only used for proper purposes. Where relevant, recognised bodies will have to comply with section 348 (Restrictions on disclosure of confidential information by the FSA etc.) and regulations made under section 349 (Exemptions from section 348) of the Act.
A UK recognised body's arrangements for internal and external audit will be an important part of its systems and controls. In assessing the adequacy of these arrangements, the FSA may have regard to: (1) the size, composition and terms of reference of any audit committee of the UK recognised body'sgoverning body;(2) the frequency and scope of external audit; (3) the provision and scope of internal audit; (4) the staffing and resources of the UK recognised body's internal audit
Information technology is likely to be a major component of the systems and controls used by any UK recognised body. In assessing the adequacy of the information technology used by a UK recognised body to perform or support its relevant functions, the FSA may have regard to:(1) the organisation, management and resources of the information technology department within the UK recognised body;(2) the arrangements for controlling and documenting the design, development, implementation
The FSA may also have regard to the arrangements for maintaining, recording and enforcing technical and operational standards and specifications for information technology systems, including:(1) the procedures for the evaluation and selection of information technology systems;(2) the arrangements for testing information technology systems before live operations;(3) the procedures for problem management and system change;(4) the arrangements to monitor and report system performance,
The purpose of this chapter is to set out how the systems and control requirements imposed by SYSC (Senior Management Arrangements, Systems and Controls) apply where a firm is part of a group. If a firm is a member of a group, it should be able to assess the potential impact of risks arising from other parts of its group as well as from its own activities.
This section implements Articles 73(3) (Supervision on a consolidated basis of credit institutions) and 138 (Intra-group transactions with mixed activity holding companies) of the Banking Consolidation Directive, Article 9 of the Financial Groups Directive (Internal control mechanisms and risk management processes) and Article 8 of the Insurance Groups Directive (Intra-group transactions).
A firm must:(1) have adequate, sound and appropriate risk management processes and internal control mechanisms for the purpose of assessing and managing its own exposure to group risk, including sound administrative and accounting procedures; and(2) ensure that its group has adequate, sound and appropriate risk management processes and internal control mechanisms at the level of the group, including sound administrative and accounting procedures.
For the purposes of SYSC 12.1.8 R, the question of whether the risk management processes and internal control mechanisms are adequate, sound and appropriate should be judged in the light of the nature, scale and complexity of the group's business and of the risks that the group bears. Riskmanagement processes must include the stress testing and scenario analysis required by GENPRU 1.2.42 R and GENPRU 1.2.49R (1)(b).4
The internal control mechanisms referred to in SYSC 12.1.8 R must include:(1) mechanisms that are adequate for the purpose of producing any data and information which would be relevant for the purpose of monitoring compliance with any prudential requirements (including any reporting requirements and any requirements relating to capital adequacy, solvency, systems and controls and large exposures):(a) to which the firm is subject with respect to its membership of a group; or(b)
Where this section applies with respect to a financial conglomerate, the internal control mechanisms referred to in SYSC 12.1.8R (2) must include:(1) mechanisms that are adequate to identify and measure all material risks incurred by members of the financial conglomerate and appropriately relate capital in the financial conglomerate to risks; and(2) sound reporting and accounting procedures for the purpose of identifying, measuring, monitoring and controlling intra-group transactions
If this rule applies under SYSC 12.1.14 R to a firm, the firm must:(1) comply with SYSC 12.1.8R (2) in relation to any UK consolidation group or non-EEAsub-group of which it is a member, as well as in relation to its group; and(2) ensure that the risk management processes and internal control mechanisms at the level of any UK consolidation group or non-EEAsub-group of which it is a member comply with the obligations set out in the following provisions on a consolidated (or sub-consolidated)
In the case of a firm that:(1) is aBIPRU firm; and8(2) has a mixed-activity holding company as a parent undertaking;the risk management processes and internal control mechanisms referred to in SYSC 12.1.8 R must include sound reporting and accounting procedures and other mechanisms that are adequate to identify, measure, monitor and control transactions between the firm'sparent undertakingmixed-activity holding company and any of the mixed-activity holding company'ssubsidiary
In some cases the management of the systems and controls used to address the risks described in SYSC 12.1.8R (1) may be organised on a group-wide basis. If the firm is not carrying out those functions itself, it should delegate them to the group members that are carrying them out. However, this does not relieve the firm of responsibility for complying with its obligations under SYSC 12.1.8R (1). A firm cannot absolve itself of such a responsibility by claiming that any breach
SYSC 12.1.8R (1) deals with the systems and controls that a firm should have in respect of the exposure it has to the rest of the group. On the other hand, the purpose of SYSC 12.1.8R (2) and the rules in this section that amplify it is to require groups to have adequate systems and controls. However a group is not a single legal entity on which obligations can be imposed. Therefore the obligations have to be placed on individual firms. The purpose of imposing the obligations
Failing to take reasonable steps to implement (either personally or through a compliance department or other departments) adequate and appropriate systems of control to comply with the relevant requirements and standards of the regulatory system in respect of its regulated activities falls within APER 4.7.2 E. In the case of an approved person who is responsible, under SYSC 2.1.3 R (2) or SYSC 4.4.5 R (2)2, with overseeing the firm's obligation under SYSC 3.1.1 R or SYSC 4.1.1
Failing to take reasonable steps to ensure that procedures and systems of control are reviewed and, if appropriate, improved, following the identification of significant breaches (whether suspected or actual) of the relevant requirements and standards of the regulatory system relating to its regulated activities, falls within APER 4.7.2 E (see APER 4.7.13 G).
Behaviour of the type referred to in APER 4.7.7 E includes, but is not limited to:(1) unreasonably failing to implement recommendations for improvements in systems and procedures;(2) unreasonably failing to implement recommendations for improvements to systems and procedures in a timely manner.
In the case of an approved person performing a significant influence function responsible for compliance under SYSC 3.2.8 R, SYSC 6.1.4 R or SYSC 6.1.4A R2, failing to take reasonable steps to ensure that appropriate compliance systems and procedures are in place falls within APER 4.7.2 E (see APER 4.7.14 G).
An approved person performing a significant influence function need not himself put in place the systems of control in his business (APER 4.7.4 E). Whether he does this depends on his role and responsibilities. He should, however, take reasonable steps to ensure that the business for which he is responsible has operating procedures and systems which include well-defined steps for complying with the detail of relevant requirements and standards of the regulatory system and for
Where the approved person performing a significant influence function becomes aware of actual or suspected problems that involve possible breaches of relevant requirements and standards of the regulatory system falling within his area of responsibility, then he should take reasonable steps to ensure that they are dealt with in a timely and appropriate manner (APER 4.7.7 E). This may involve an adequate investigation to find out what systems or procedures may have failed and why.
Where independent reviews of systems and procedures have been undertaken and result in recommendations for improvement, the approved person performing a significant influence function should ensure that, unless there are good reasons not to, any reasonable recommendations are implemented in a timely manner (APER 4.7.10 E). What is reasonable will depend on the nature of the inadequacy and the cost of the improvement. It will be reasonable for the approved person performing a significant
A firm must ensure the policies and procedures established under SYSC 6.1.1 R include systems and controls that:1(1) enable it to identify, assess, monitor and manage money laundering risk; and(2) are comprehensive and proportionate to the nature, scale and complexity of its activities.
The FSA, when considering whether a breach of its rules on systems and controls against money laundering has occurred, will have regard to whether a firm has followed relevant provisions in the guidance for the United Kingdom financial sector issued by the Joint Money Laundering Steering Group.1
In identifying its money laundering risk and in establishing the nature of these systems and controls, a firm should consider a range of factors, including:1(1) its customer, product and activity profiles;(2) its distribution channels;(3) the complexity and volume of its transactions;(4) its processes and systems; and(5) its operating environment.
A firm should ensure that the systems and controls include:1(1) appropriate training for its employees in relation to money laundering;(2) appropriate provision of information to its governing body and senior management, including a report at least annually by that firm'smoney laundering reporting officer (MLRO) on the operation and effectiveness of those systems and controls;(3) appropriate documentation of its risk management policies and risk profile in relation to money laundering,
A firm (with the exception of a sole trader who has no employees)21 must:12(1) appoint an individual as MLRO, with responsibility for oversight of its compliance with the FSA'srules on systems and controls against money laundering; and(2) ensure that its MLRO has a level of authority and independence within the firm and access to resources and information sufficient to enable him to carry out that responsibility.
A firm should establish and maintain appropriate systems and controls for managing operational risks that can arise from inadequacies or failures in its processes and systems (and, as appropriate, the systems and processes of third party suppliers, agents and others). In doing so a firm should have regard to:(1) the importance and complexity of processes and systems used in the end-to-end operating cycle for products and activities (for example, the level of integration of systems);(2)
A firm should ensure the adequacy of its processes and systems to review external documentation prior to issue (including review by its compliance, legal and marketing departments or by appropriately qualified external advisers). In doing so, a firm should have regard to:(1) compliance with applicable regulatory and other requirements;1(2) the extent to which its documentation uses standard terms (that are widely recognised, and have been tested in the courts) or non-standard
A firm should establish and maintain appropriate systems and controls for the management of its IT system risks, having regard to:(1) its organisation and reporting structure for technology operations (including the adequacy of senior management oversight);(2) the extent to which technology requirements are addressed in its business strategy;(3) the appropriateness of its systems acquisition, development and maintenance activities (including the allocation of responsibilities
Failures in processing information (whether physical, electronic or known by employees but not recorded) or of the security of the systems that maintain it can lead to significant operational losses. A firm should establish and maintain appropriate systems and controls to manage its information security risks. In doing so, a firm should have regard to:(1) confidentiality: information should be accessible only to persons or systems with appropriate authority, which may require
Operating processes and systems at separate geographic locations may alter a firm's operational risk profile (including by allowing alternative sites for the continuity of operations). A firm should understand the effect of any differences in processes and systems at each of its locations, particularly if they are in different countries, having regard to:(1) the business operating environment of each country (for example, the likelihood and impact of political disruptions or
A firm's systems and controls should enable it to satisfy itself of the suitability of anyone who acts for it. This includes assessing an individual's honesty and competence. This assessment should normally be made at the point of recruitment. An individual's honesty need not normally be revisited unless something happens to make a fresh look appropriate.
The effective segregation of duties is an important element in the internal controls of a firm in the prudential context. In particular, it helps to ensure that no one individual is completely free to commit a firm's assets or incur liabilities on its behalf. Segregation can also help to ensure that a firm'sgoverning body receives objective and accurate information on financial performance, the risks faced by the firm and the adequacy of its systems.
The systems, internal control mechanisms and arrangements established by a firm in accordance with this chapter must take into account the nature, scale and complexity of its business and the nature and range of financial services and activities 3undertaken in the course of that business.[Note:article 5(1) final paragraph of the MiFID implementing Directiveand articles 4(1) final paragraph and 5(4) of the UCITS implementing Directive]66
A common platform firm and a management company6 must monitor and, on a regular basis, evaluate the adequacy and effectiveness of its systems, internal control mechanisms and arrangements established in accordance with this chapter, and take appropriate measures to address any deficiencies.[Note:article 5(5) of the MiFID implementing Directive and articles 4(5) of the UCITS implementing Directive]6
The purpose of REC 3.16 is to ensure that the FSA receives a copy of the UK recognised body's plans and arrangements for ensuring business continuity if there are major problems with its computer systems. The FSA does not need to be notified of minor revisions to, or updating of, the documents containing a UK recognised body's business continuity plan (for example, changes to contact names or telephone numbers).
Where any reserve information technology system of a UK recognised body fails in such a way that, if the main information technology system of that body were also to fail, it would be unable to operate any of its facilities during its normal hours of operation, that body must immediately give the FSA notice of that event, and inform the FSA:(1) what action that UK recognised body is taking to restore the operation of the reserve information technology system; and (2) when it is
The FSA will approve a person as a sponsor only if it is satisfied that the person :4(1) is 4an authorised person or a member of a designated professional body;(2) is 4competent to performsponsor services4; and(3) has appropriate 4systems and controls in place to ensure that it cancarry out its role as a sponsor in accordance with this chapter4.4
A sponsor will generally be regarded as having appropriate 4systems and controls if there are:4(1) clear and effective reporting lines in place (including clear and effective management responsibilities)4;(2) effective systems and controls for the appropriate4 supervision of employees providing sponsor services4;44(3) effective systems and controls to ensure its compliance with all applicable listing rules when performing sponsor services4;(4) [deleted]44(5) effective arrangements
4A sponsor will generally be regarded as having appropriate systems and controls if it has in place effective policies and procedures:(1) to ensure that decisions taken on managing conflicts of interest are taken by appropriately senior staff and on a timely basis;(2) to monitor whether arrangements put in place to manage conflicts are effective;(3) to ensure that individuals within the sponsor are appropriately trained to enable them to identify, escalate and manage conflicts
A common platform firm must establish, implement and maintain adequate risk management policies and procedures, including effective procedures for risk assessment, which identify the risks relating to the firm's activities, processes and systems, and where appropriate, set the level of risk tolerated by the firm.[Note: article 7(1)(a) of the MiFID implementing Directive, article 13(5) second paragraph of MiFID]
A BIPRUfirm must operate through effective systems the ongoing administration and monitoring of its various credit risk-bearing portfolios and exposures, including for identifying and managing problem credits and for making adequate value adjustments and provisions.[Note: annex V paragraph 4 of the Banking Consolidation Directive]
The Listing Principles are as follows:Principle 1A listed company must take reasonable steps to enable its directors to understand their responsibilities and obligations as directors.Principle 2A listed company must take reasonable steps to establish and maintain adequate procedures, systems and controls to enable it to comply with its obligations.Principle 3A listed company must act with integrity towards holders and potential holders of its listedequity shares.22Principle 4A
Principle 2 is intended to ensure that listed companies have adequate procedures, systems and controls to enable them to comply with their obligations under the listing rules and disclosure rules and transparency rules. In particular, the FSA considers that listed companies should place particular emphasis on ensuring that they have adequate procedures, systems and controls in relation to:(1) identifying whether any obligations arise under LR 10 (Significant transactions) and
Timely and accurate disclosure of information to the market is a key obligation of listed companies. For the purposes of Principle 2, a listed companywith a premium listing1 should have adequate systems and controls to be able to:1(1) ensure that it can properly identify information which requires disclosure under the listing rules or disclosure rules and transparency rules in a timely manner; and(2) ensure that any information identified under (1) is properly considered by the
SYSC 13 provides guidance on how to interpret SYSC 3.1.1 R and SYSC 3.2.6 R, which deal with the establishment and maintenance of systems and controls, in relation to the management of operational risk. Operational risk has been described by the Basel Committee on Banking Supervision as "the risk of loss, resulting from inadequate or failed internal processes, people and systems, or from external events". This chapter covers systems and controls for managing risks concerning any
1The information required pursuant to sub-sections 287(c), (d) and (e) of the Act is:(1) a programme of operations which includes the types of business the applicant proposes to undertake and the applicant's proposed organisational structure;(2) particulars of the persons who effectively direct the business and operations of the exchange; and(3) particulars of the ownership of the exchange, and in particular the identity and scale of interests of the persons who are in a position
Under section 289 of the Act (Applications: supplementary) or (for an RAP applicant) regulation 2 of the RAP regulations,3 the FSA may require the applicant to provide additional information, and may require the applicant to verify any information in any manner. In view of their likely importance for any application, the FSA will normally wish to arrange for its own inspection of an applicant's information technology systems.
Information and supporting documentation (see REC 5.2.4 G).(1)Details of the applicant's constitution, structure and ownership, including its memorandum and articles of association (or similar or analogous documents ) and any agreements between the applicant, its owners or other persons relating to its constitution or governance (if not contained in the information listed in REC 5.2.3A G)1. An applicant for RAP status must provide details of the relationship between the governance
3(1) A firm must have robust governance arrangements, which include a clear organisational structure with well defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks it is or might be exposed to, and internal control mechanisms, including sound administrative and accounting procedures and effective control and safeguard arrangements for information processing systems.8(2) 8A BIPRU firm and a third country
A common platform firm and a management company10 must monitor and, on a regular basis, evaluate the adequacy and effectiveness of its systems, internal control mechanisms and arrangements established in accordance with SYSC 4.1.4 R to SYSC 4.1.9 R and take appropriate measures to address any deficiencies.[Note: article 5(5) of the MiFID implementing Directive and article 4(5) of the UCITS implementing Directive]10
Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to form an audit committee. An audit committee could typically examine management's process for ensuring the appropriateness and effectiveness of systems and controls, examine the arrangements made by management to ensure compliance with requirements and standards under the regulatory system, oversee the functioning of the internal audit function (if applicable) and provide an interface
Frequently asked questions about allocation of functions in SYSC 2.1.3 RThis table belongs to SYSC 2.1.5 GQuestionAnswer1Does an individual to whom a function is allocated under SYSC 2.1.3 R need to be an approved person?An individual to whom a function is allocated under SYSC 2.1.3 R will be performing the apportionment and oversight function (CF 8, see SUP 10.7.1 R) and an application must be made to the FSA for approval of the individual before the function is performed under
(1) The nature and extent of the systems and controls which a firm will need to maintain under SYSC 3.1.1 R will depend upon a variety of factors including:(a) the nature, scale and complexity of its business;(b) the diversity of its operations, including geographical diversity;(c) the volume and size of its transactions; and(d) the degree of risk associated with each area of its operation.(2) To enable it to comply with its obligation to maintain appropriate systems and controls,
The FSA will consider the full circumstances of each case when determining whether or not to take action for a financial penalty or public censure. Set out below is a list of factors that may be relevant for this purpose. The list is not exhaustive: not all of these factors may be applicable in a particular case, and there may be other factors, not listed, that are relevant.(1) The nature, seriousness and impact of the suspected breach, including:(a) whether the breach was deliberate
In some cases it may not be appropriate to take disciplinary measures against a firm for the actions of an approved person (an example might be where the firm can show that it took all reasonable steps to prevent the breach). In other cases, it may be appropriate for the FSA to take action against both the firm and the approved person. For example, a firm may have breached the rule requiring it to take reasonable care to establish and maintain such systems and controls as are
The precise role and organisation of internal controls can vary from firm to firm. However, a firm'sinternal controls should normally be concerned with assisting its governing body and relevant senior managers to participate in ensuring that it meets the following objectives:(1) safeguarding both the assets of the firm and its customers, as well as identifying and managing liabilities;(2) maintaining the efficiency and effectiveness of its operations;(3) ensuring the reliability
Recognised bodies may receive complaints from time to time from their members and other people, both about the conduct of members and about the recognised body itself. A UK recognised body will need to have satisfactory arrangements to investigate these complaints in order to satisfy the relevant recognition requirements (see REC 2.15 and REC 2.16) or RAP recognition requirements (see REC 2A.3.2 G).1
Where the FSA receives a complaint about a recognised body, it will, in the first instance, seek to establish whether the complainant has approached the recognised body. Where this is not the case, the FSA will ask the complainant to complain to the recognised body. Where the complainant is dissatisfied with the handling of the complaint, but has not exhausted the recognised body's own internal complaints procedures (in the case of a complaint against a UK recognised body, including