Related provisions for SYSC 3.2.13
1 - 20 of 113 items.
The purpose of this chapter is to set out how the systems and control requirements imposed by SYSC (Senior Management Arrangements, Systems and Controls) apply where a firm is part of a group. If a firm is a member of a group, it should be able to assess the potential impact of risks arising from other parts of its group as well as from its own activities.
This section implements Articles 73(3) (Supervision on a consolidated basis of credit institutions) and 138 (Intra-group transactions with mixed activity holding companies) of the Banking Consolidation Directiveand12 Article 9 of the Financial Groups Directive (Internal control mechanisms and risk management processes) .1212
A firm must:(1) have adequate, sound and appropriate risk management processes and internal control mechanisms for the purpose of assessing and managing its own exposure to group risk, including sound administrative and accounting procedures; and(2) ensure that its group has adequate, sound and appropriate risk management processes and internal control mechanisms at the level of the group, including sound administrative and accounting procedures.
For the purposes of SYSC 12.1.8 R, the question of whether the risk management processes and internal control mechanisms are adequate, sound and appropriate should be judged in the light of the nature, scale and complexity of the group's business and of the risks that the group bears. Unless the firm is a Solvency II firm, risk 12management processes must include the stress testing and scenario analysis required by GENPRU 1.2.42 R and GENPRU 1.2.49R (1)(b).124
The internal control mechanisms referred to in SYSC 12.1.8 R must include:(1) mechanisms that are adequate for the purpose of producing any data and information which would be relevant for the purpose of monitoring compliance with any prudential requirements (including any reporting requirements and any requirements relating to capital adequacy, solvency, systems and controls and large exposures):(a) to which the firm is subject with respect to its membership of a group; or(b)
Where this section applies with respect to a financial conglomerate, the internal control mechanisms referred to in SYSC 12.1.8R (2) or, for a Solvency II firm, the internal control system referred to in the PRA Rulebook: Solvency II firms: Conditions Governing Business, rule 3,12 must include:(1) mechanisms that are adequate to identify and measure all material risks incurred by members of the financial conglomerate and appropriately relate capital in the financial conglomerate
If this rule applies under SYSC 12.1.14 R to a firm, the firm must:(1) comply with SYSC 12.1.8R (2) in relation to any UK consolidation group or non-EEAsub-group of which it is a member, as well as in relation to its group; and(2) ensure that the risk management processes and internal control mechanisms at the level of any consolidation group or non-EEAsub-group of which it is a member comply with the obligations set out in the following provisions on a consolidated (or sub-consolidated)
In the case of a firm that:(1) is aCRRfirm; and810(2) has a mixed-activity holding company as a parent undertaking;the risk management processes and internal control mechanisms referred to in SYSC 12.1.8 R must include sound reporting and accounting procedures and other mechanisms that are adequate to identify, measure, monitor and control transactions between the firm'sparent undertakingmixed-activity holding company and any of the mixed-activity holding company'ssubsidiary
In some cases the management of the systems and controls used to address the risks described in SYSC 12.1.8R (1) may be organised on a group-wide basis. If the firm is not carrying out those functions itself, it should delegate them to the group members that are carrying them out. However, this does not relieve the firm of responsibility for complying with its obligations under SYSC 12.1.8R (1). A firm cannot absolve itself of such a responsibility by claiming that any breach
SYSC 12.1.8R (1) deals with the systems and controls that a firm should have in respect of the exposure it has to the rest of the group. On the other hand, the purpose of SYSC 12.1.8R (2) and the rules in this section that amplify it is to require groups to have adequate systems and controls. However a group is not a single legal entity on which obligations can be imposed. Therefore the obligations have to be placed on individual firms. The purpose of imposing the obligations
(1) The guidance relevant to delegation within the firm is also relevant to external delegation ('outsourcing'). A firm cannot contract out its regulatory obligations. So, for example, under Principle 3 a firm should take reasonable care to supervise the discharge of outsourced functions by its contractor.(2) A firm should take steps to obtain sufficient information from its contractor to enable it to assess the impact of outsourcing on its systems and controls.
5In identifying its money laundering risk and in establishing the nature of these systems and controls, a firm should consider a range of factors, including:(1) its customer, product and activity profiles;(2) its distribution channels;(3) the complexity and volume of its transactions;(4) its processes and systems; and(5) its operating environment.
5A firm should ensure that the systems and controls include:(1) appropriate training for its employees in relation to money laundering;(2) appropriate provision of information to its governing body and senior management, including a report at least annually by that firm'smoney laundering reporting officer (MLRO) on the operation and effectiveness of those systems and controls;(3) appropriate documentation of its risk management policies and risk profile in relation to money laundering,
5A firm must:(1) appoint an individual as MLRO, with responsibility for oversight of its compliance with the FCA'srules on systems and controls against money laundering; and(2) ensure that its MLRO has a level of authority and independence within the firm and access to resources and information sufficient to enable him to carry out that responsibility.
Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to form an audit committee. An audit committee could typically examine management's process for ensuring the appropriateness and effectiveness of systems and controls, examine the arrangements made by management to ensure compliance with requirements and standards under the regulatory system, oversee the functioning of the internal audit function (if applicable - see SYSC 3.2.16 G9)
9(1) Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to delegate much of the task of monitoring the appropriateness and effectiveness of its systems and controls to an internal audit function. An internal audit function should have clear responsibilities and reporting lines to an audit committee or appropriate senior manager, be adequately resourced and staffed by competent individuals, be independent of the day-to-day activities
A firm should have appropriate systems and controls in place to fulfil the firm's regulatory and statutory obligations with respect to adequacy, access, periods of retention and security of records. The general principle is that records should be retained for as long as is relevant for the purposes for which they are made.
Schedule to the Recognition Requirements Regulations, paragraph 32(1)The [UK RIE] must ensure that the systems and controls used in the performance of its [relevant functions] are adequate, and appropriate for the scale and nature of its business.(2)Sub-paragraph (1) applies in particular to systems and controls concerning -(a)the transmission of information;(b)the assessment, mitigation and management of risks to the performance of the [UK RIE'srelevant functions];(c)the effecting
In assessing whether the systems and controls used by a UK recognised body in the performance of its relevant functions are adequate and appropriate for the scale and nature of its business, the FCA3 may have regard to the UK recognised body's:3(1) arrangements for managing, controlling and carrying out its relevant functions, including: (a) the distribution of duties and responsibilities among its key individuals and the departments of the UK recognised body responsible for performing
The following paragraphs set out other matters to which the FCA3 may have regard in assessing the systems and controls used for the transmission of information, risk management, the effecting and monitoring of transactions, the operation of settlement arrangements (the matters covered in paragraph 4(2)(d) of the Schedule to the Recognition Requirements Regulations) and the safeguarding and administration of assets .33
In assessing a UK recognised body's systems and controls for assessing and managing risk, the FCA3 may also have regard to the extent to which these systems and controls enable the UK recognised body to:3(1) identify all the general, operational, legal and market risks wherever they arise in its activities;(2) measure and control the different types of risk;(3) allocate responsibility for risk management to persons with appropriate knowledge and expertise; and(4) provide sufficient,
In assessing a UK RIE's systems and controls for the effecting and monitoring of transactions, and for the operation of settlement arrangements, the FCA3 may have regard to the totality of the arrangements and processes through which the UK RIE's transactions are effected, cleared,3 and settled, including:333(1) a UK RIE's arrangements under which orders are received and matched, its arrangements for trade and transaction reporting, and (if relevant) its arrangements with another
In assessing a UK recognised body's systems and controls for the safeguarding and administration of assets belonging to users of its facilities, the FCA3 may have regard to the totality of the arrangements and processes by which the UK recognised body: 3(1) records the assets held and the identity of the owners of (and other persons with relevant rights over) those assets; (2) records any instructions given in relation to those assets;(3) records the carrying out of those instructions;(4)
The FCA3 may also have regard to the systems and controls intended to ensure that confidential information is only used for proper purposes. Where relevant, recognised bodies will have to comply with section 348 (Restrictions on disclosure of confidential information by the FCA3 etc.) and regulations made under section 349 (Exemptions from section 348) of the Act.33
A UK recognised body's arrangements for internal and external audit will be an important part of its systems and controls. In assessing the adequacy of these arrangements, the FCA3 may have regard to: 3(1) the size, composition and terms of reference of any audit committee of the UK recognised body'sgoverning body;(2) the frequency and scope of external audit; (3) the provision and scope of internal audit; (4) the staffing and resources of the UK recognised body's internal audit
Information technology is likely to be a major component of the systems and controls used by any UK recognised body. In assessing the adequacy of the information technology used by a UK recognised body to perform or support its relevant functions, the FCA3 may have regard to:3(1) the organisation, management and resources of the information technology department within the UK recognised body;(2) the arrangements for controlling and documenting the design, development, implementation
The FCA3 may also have regard to the arrangements for maintaining, recording and enforcing technical and operational standards and specifications for information technology systems, including:3(1) the procedures for the evaluation and selection of information technology systems;(2) the arrangements for testing information technology systems before live operations;(3) the procedures for problem management and system change;(4) the arrangements to monitor and report system performance,
SYSC 4.1.1 R requires every firm, including a credit union, to have robust governance arrangements, which include a clear organisational structure with well-defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks it is or might be exposed to, and internal control mechanisms, including sound administrative and accounting procedures and effective control and safeguard arrangements for information processing
A credit union’s systems and controls should be proportionate to the nature, scale and complexity of the activities it undertakes. For instance, a 5small credit union5 will not usually 5be expected to have the same systems and controls as a large one, and a credit union offering only basic savings accounts and loans will not be expected to have the same systems and controls as one offering a wider range of services or more complicated products5.
(1) The term 'internal audit function' in CREDS 2.2.10 E refers to the generally understood concept of internal audit within a firm, in other words the function of assessing adherence to and the effectiveness of internal systems and controls, procedures and policies. The internal audit function is not a controlled function itself, but is part of the systems and controls function (CF28). (2) Guidance on internal audit is given in CREDS 2.2.40 G to CREDS 2.2.50 G.
CREDS 2.2.8 R requires a credit union's system of control to be fully documented. The documentation helps the governing body5 to assess if systems are maintained and controls are operating effectively. It also helps those reviewing the systems to verify that the controls in place are those that have been authorised, and that they are adequate for their purpose.
(1) The governing body5 should decide what form this documentation should take, but the governing body5 should have in mind the following points.(a) Documents should be comprehensive: they should cover all material aspects of the operations of the credit union.(b) Documents should be integrated: separate elements of the system should be cross-referred so that the system can be viewed as a whole.(c) Documents should identify risks and the controls established to manage those risks.
Some important compliance issues include:(1) insurance against fraud and dishonesty;(2) arrangements for the prevention, detection and reporting of money laundering;(3) establishing and maintaining a satisfactory system of control;(4) keeping proper books of account;(5) computation and application of profits;(6) investment of surplus funds;(7) capital requirements; (8) liquidity requirements;(9) limits on shares and loans;(10) maintenance of membership records;(11) submission
The purposes of an internal audit are:(1) to ensure that the policies and procedures of the credit union are followed;(2) to provide the governing body5 with a continuous appraisal of the overall effectiveness of the control systems, including proposed changes;(3) to recommend improvements where desirable or necessary;(4) to determine whether the internal controls established by the governing body5 are being maintained properly and operated as laid down in the policy, and comply
The internal audit function (see CREDS 2.2.11G) should develop an audit plan, covering all aspects of the credit union's business. The audit plan should identify the scope and frequency of work to be carried out in each area. Areas identified as higher risk should be covered more frequently. However, over a set timeframe (likely to be one year) all areas should be covered. Care should be taken to avoid obvious patterns in assessing the different areas of the credit union's business,
A firm must ensure the policies and procedures established under SYSC 6.1.1 R include systems and controls that:1(1) enable it to identify, assess, monitor and manage money laundering risk; and(2) are comprehensive and proportionate to the nature, scale and complexity of its activities.
The FCA, when considering whether a breach of its rules on systems and controls against money laundering has occurred, will have regard to whether a firm has followed relevant provisions in the guidance for the United Kingdom financial sector issued by the Joint Money Laundering Steering Group.1
In identifying its money laundering risk and in establishing the nature of these systems and controls, a firm should consider a range of factors, including:1(1) its customer, product and activity profiles;(2) its distribution channels;(3) the complexity and volume of its transactions;(4) its processes and systems; and(5) its operating environment.
A firm should ensure that the systems and controls include:1(1) appropriate training for its employees in relation to money laundering;(2) appropriate provision of information to its governing body and senior management, including a report at least annually by that firm'smoney laundering reporting officer (MLRO) on the operation and effectiveness of those systems and controls;(3) appropriate documentation of its risk management policies and risk profile in relation to money laundering,
A firm (with the exception of a sole trader who has no employees)21 must:12(1) appoint an individual as MLRO, with responsibility for oversight of its compliance with the FCA'srules on systems and controls against money laundering; and(2) ensure that its MLRO has a level of authority and independence within the firm and access to resources and information sufficient to enable him to carry out that responsibility.
A firm should establish and maintain appropriate systems and controls for managing operational risks that can arise from inadequacies or failures in its processes and systems (and, as appropriate, the systems and processes of third party suppliers, agents and others). In doing so a firm should have regard to:(1) the importance and complexity of processes and systems used in the end-to-end operating cycle for products and activities (for example, the level of integration of systems);(2)
A firm should ensure the adequacy of its processes and systems to review external documentation prior to issue (including review by its compliance, legal and marketing departments or by appropriately qualified external advisers). In doing so, a firm should have regard to:(1) compliance with applicable regulatory and other requirements;1(2) the extent to which its documentation uses standard terms (that are widely recognised, and have been tested in the courts) or non-standard
A firm should establish and maintain appropriate systems and controls for the management of its IT system risks, having regard to:(1) its organisation and reporting structure for technology operations (including the adequacy of senior management oversight);(2) the extent to which technology requirements are addressed in its business strategy;(3) the appropriateness of its systems acquisition, development and maintenance activities (including the allocation of responsibilities
Failures in processing information (whether physical, electronic or known by employees but not recorded) or of the security of the systems that maintain it can lead to significant operational losses. A firm should establish and maintain appropriate systems and controls to manage its information security risks. In doing so, a firm should have regard to:(1) confidentiality: information should be accessible only to persons or systems with appropriate authority, which may require
Operating processes and systems at separate geographic locations may alter a firm's operational risk profile (including by allowing alternative sites for the continuity of operations). A firm should understand the effect of any differences in processes and systems at each of its locations, particularly if they are in different countries, having regard to:(1) the business operating environment of each country (for example, the likelihood and impact of political disruptions or
Failing to take reasonable steps to implement (either personally or through a compliance department or other departments) adequate and appropriate systems of control to comply with the relevant requirements and standards of the regulatory system in respect of the regulated activities of the firm in question (as referred to in Statement of Principle 7)11 falls within APER 4.7.2 E. In the case of an approved person who is responsible, under SYSC 2.1.3 R (2) or SYSC 4.4.5 R (2)2,
Failing to take reasonable steps to ensure that procedures and systems of control are reviewed and, if appropriate, improved, following the identification of significant breaches (whether suspected or actual) of the relevant requirements and standards of the regulatory system relating to the regulated activities of the firm in question (as referred to in Statement of Principle 7),11 falls within APER 4.7.2 E (see APER 4.7.13 G and APER 4.7.14 G).1111
Behaviour of the type referred to in APER 4.7.7 E includes, but is not limited to:(1) unreasonably failing to implement recommendations for improvements in systems and procedures;(2) unreasonably failing to implement recommendations for improvements to systems and procedures in a timely manner.
In the case of an approved person performing a significant influence function responsible for compliance under SYSC 3.2.8 R, SYSC 6.1.4 R or SYSC 6.1.4A R2, failing to take reasonable steps to ensure that appropriate compliance systems and procedures are in place falls within APER 4.7.2A E (see APER 4.7.13 G and11APER 4.7.14 G).11
An approved person performing a significant influence function need not himself put in place the systems of control in his business (APER 4.7.4 E). Whether he does this depends on his role and responsibilities. He should, however, take reasonable steps to ensure that the business for which he is responsible has operating procedures and systems which include well-defined steps for complying with the detail of relevant requirements and standards of the regulatory system and for
Where the approved person performing a significant influence function becomes aware of actual or suspected problems that involve possible breaches of relevant requirements and standards of the regulatory system falling within his area of responsibility, then he should take reasonable steps to ensure that they are dealt with in a timely and appropriate manner (APER 4.7.7 E). This may involve an adequate investigation to find out what systems or procedures may have failed and why.
Where independent reviews of systems and procedures have been undertaken and result in recommendations for improvement, the approved person performing a significant influence function should ensure that, unless there are good reasons not to, any reasonable recommendations are implemented in a timely manner (APER 4.7.10 E). What is reasonable will depend on the nature of the inadequacy and the cost of the improvement. It will be reasonable for the approved person performing a significant
A firm's systems and controls should enable it to satisfy itself of the suitability of anyone who acts for it. This includes assessing an individual's honesty and competence. This assessment should normally be made at the point of recruitment. An individual's honesty need not normally be revisited unless something happens to make a fresh look appropriate.
The effective segregation of duties is an important element in the internal controls of a firm in the prudential context. In particular, it helps to ensure that no one individual is completely free to commit a firm's assets or incur liabilities on its behalf. Segregation can also help to ensure that a firm'sgoverning body receives objective and accurate information on financial performance, the risks faced by the firm and the adequacy of its systems.
The systems, internal control mechanisms and arrangements established by a firm in accordance with this chapter must take into account the nature, scale and complexity of its business and the nature and range of financial services and activities 3undertaken in the course of that business.[Note:article 5(1) final paragraph of the MiFID implementing Directiveand articles 4(1) final paragraph and 5(4) of the UCITS implementing Directive]66
A common platform firm and a management company6 must monitor and, on a regular basis, evaluate the adequacy and effectiveness of its systems, internal control mechanisms and arrangements established in accordance with this chapter, and take appropriate measures to address any deficiencies.[Note:article 5(5) of the MiFID implementing Directive and articles 4(5) of the UCITS implementing Directive]6
A firm must have in place sound, effective and comprehensive strategies, processes and systems:(1) to assess and maintain, on an ongoing basis, the amounts, types and distribution of financial resources, own funds and internal capital that it considers adequate to cover:(a) the nature and level of the risks to which it is, or might be, exposed;(b) the risk in the overall financial adequacy rule;(c) the risk that the firm might not be able to meet the obligations in Part Three
A firm must:(1) carry out regularly the assessments required by the overall Pillar 2 rule; and(2) carry out regular assessments of the processes, strategies and systems required by the overall Pillar 2 rule to ensure that they remain comprehensive and proportionate to the nature, scale and complexity of the firm's activities.[Note: article 73 second paragraph (part) of CRD]
Certain risks, such as systems and controls weaknesses, may not be adequately addressed by, for example, holding additional capital and a more appropriate response would be to rectify the weakness. In such circumstances, the amount of financial resources required to address these risks might be zero. However, a firm should consider whether holding additional capital might be an appropriate response until the identified weaknesses are rectified. A firm, should, in line with IFPRU
A firm should carry out assessments of the sort described in the overall Pillar 2 rule and IFPRU 2.2.13 R at least annually, or more frequently if changes in the business, strategy, nature or scale of its activities or operational environment suggest that the current level of financial resources is no longer adequate. The appropriateness of the internal process, and the degree of involvement of senior management in the process, will be taken into account by the FCA when reviewing
A firm must operate through effective systems the ongoing administration and monitoring of its various credit risk-bearing portfolios and exposures, including for identifying and managing problem credits and for making adequate value adjustments and provisions.[Note: article 79(c) of CRD]
Compliance with the obligations in IFPRU 2.2.59 R must enable the FCA consolidation group or the non-EEA sub-group to have arrangements, processes and mechanisms that are consistent, well integrated and ensure that data relevant to the purpose of supervision can be produced.[Note: article 109(2) of CRD]
A firm should satisfy itself that the systems (including IT) of the FCA consolidation group or the non-EEA sub-group of which it is a member are sufficiently sound to support the effective management and, where applicable, the quantification of the risks that could affect the FCA consolidation group or the non-EEA sub-group, as the case may be.
The purpose of REC 3.16 is to ensure that the FCA1receives a copy of the UK recognised body's plans and arrangements for ensuring business continuity if there are major problems with its computer systems. The FCA1does not need to be notified of minor revisions to, or updating of, the documents containing a UK recognised body's business continuity plan (for example, changes to contact names or telephone numbers). 11
Where any reserve information technology system of a UK recognised body fails in such a way that, if the main information technology system of that body were also to fail, it would be unable to operate any of its facilities during its normal hours of operation, that body must immediately give the FCA1notice of that event, and inform the FCA:111(1) what action that UK recognised body is taking to restore the operation of the reserve information technology system; and (2) when it
The Listing Principles are as follows:Listing3 Principle 1A listed company must take reasonable steps to establish and maintain adequate procedures, systems and controls to enable it to comply with its obligations.33Listing3 Principle 2A listed company must deal with the FCA in an open and co-operative manner.33Principle 3[deleted]33Principle 4[deleted]33Principle 5[deleted]33Principle 6[deleted]33
Listing Principle 13 is intended to ensure that listed companies have adequate procedures, systems and controls to enable them to comply with their obligations under the listing rules, disclosure rules, transparency rules and corporate governance rules.3 In particular, the FCA considers that listed companies should place particular emphasis on ensuring that they have adequate procedures, systems and controls in relation to, where applicable:333(1) identifying whether any obligations
Timely and accurate disclosure of information to the market is a key obligation of listed companies. For the purposes of Listing Principle 13, a listed company should have adequate systems and controls to be able to:3313(1) ensure that it can properly identify information which requires disclosure under the listing rules, disclosure rules, transparency rules or corporate governance rules3 in a timely manner; and3(2) ensure that any information identified under (1) is properly
The FCA will approve a person as a sponsor only if it is satisfied that the person :4(1) is 4an authorised person or a member of a designated professional body;(2) is 4competent to provide8sponsor services4 in accordance with LR 88; and8(3) has appropriate 4systems and controls in place to carry out its role as a sponsor in accordance with LR 884.488
7Situations when the FCA may impose restrictions or limitations on the services a sponsor can provide include (but are not limited to) where it appears to the FCA that: (1) the employees of the person applying to be a sponsor whom it is proposed will perform sponsor services have no or limited relevant experience and expertise of providing certain types of sponsor services or of providing sponsor services to certain types of company; or(2) the person applying to be a sponsor does
8A sponsor or a person applying for approval as a sponsor will not satisfy LR 8.6.5R (3) unless it has in place:(1) clear and effective reporting lines for the provision of sponsor services (including clear and effective management responsibilities);(1A) effective systems and controls which require employees with management responsibilities for the provision of sponsor services to understand and apply the requirements of LR 8; (2) effective systems and controls for the appropriate
4A sponsor will generally be regarded as having appropriate systems and controls for identifying and managing conflicts6 if it has in place effective policies and procedures:(1) to ensure that decisions taken on managing conflicts of interest are taken by appropriately senior staff and on a timely basis;(2) to monitor whether arrangements put in place to manage conflicts are effective; and6(3) to ensure that individuals within the sponsor are appropriately trained to enable them
The precise role and organisation of internal controls can vary from firm to firm. However, a firm'sinternal controls should normally be concerned with assisting its governing body and relevant senior managers to participate in ensuring that it meets the following objectives:(1) safeguarding both the assets of the firm and its customers, as well as identifying and managing liabilities;(2) maintaining the efficiency and effectiveness of its operations;(3) ensuring the reliability
9When determining the adequacy of its internal controls, a firm should consider both the potential risks that might hinder the achievement of the objectives listed in SYSC 14.1.28 G, and the extent to which it needs to control these risks. More specifically, this should normally include consideration of:(1) the appropriateness of its reporting and communication lines (see SYSC 3.2.2 G);(2) how the delegation or contracting of functions or activities to employees, appointed representatives
(1) 6SYSC 14.1.29G(6) does not apply to a Solvency II firm.(2) SYSC 14.1.29G(7) does not apply to a Solvency II firm, but only in relation to references to the internal audit function. It does apply to a Solvency II firm in relation to references to the internal audit committee.(3) For Solvency II firms, the PRA has made rules implementing the governance provisions of the Solvency II Directive relating to internal controls (article 46), see PRA Rulebook: Solvency II firms: Conditions
(1) The internal system evaluation method is available to any firm, including one that is not able to use the internal custody reconciliation method because it does not meet the requirements at CASS 6.6.16R (1) and CASS 6.6.16R (2).(2) The purpose of the internal system evaluation method is to detect weaknesses in a firm's systems and controls and any recordkeeping discrepancies. However, this method is not designed to substitute a firm's other measures for ensuring compliance
The internal system evaluation method requires a firm to:(1) establish a process that evaluates: (a) the completeness and accuracy of the firm's internal records and accounts of safe custody assets held by the firm for clients, in particular whether sufficient information is being completely and accurately recorded by the firm to enable it to:(i) comply with CASS 6.6.4 R; and(ii) readily determine the total of all the safe custody assets that the firm holds for its clients; and(b)
The evaluation process under CASS 6.6.19R (1) should verify that the firm's systems and controls correctly identify and resolve at least the following types or causes of discrepancies:(1) items in the firm's records and accounts that might be erroneously overstating or understating the safe custody assets held by a firm (for example, 'test' entries and 'balancing' entries);(2) negative balances;(3) processing errors;(4) journal entry errors (eg, omissions and unauthorised system
SYSC 13 provides guidance on how to interpret SYSC 3.1.1 R and SYSC 3.2.6 R, which deal with the establishment and maintenance of systems and controls, in relation to the management of operational risk. Operational risk has been described by the Basel Committee on Banking Supervision as "the risk of loss, resulting from inadequate or failed internal processes, people and systems, or from external events". This chapter covers systems and controls for managing risks concerning any
A common platform firm must establish, implement and maintain adequate risk management policies and procedures, including effective procedures for risk assessment, which identify the risks relating to the firm's activities, processes and systems, and where appropriate, set the level of risk tolerated by the firm.[Note: article 7(1)(a) of the MiFID implementing Directive, article 13(5) second paragraph of MiFID]
Frequently asked questions about allocation of functions in SYSC 2.1.3 RThis table belongs to SYSC 2.1.5 GQuestionAnswer1Does an individual to whom a function is allocated under SYSC 2.1.3 R need to be an approved person?An individual to whom a function is allocated under SYSC 2.1.3 R will be performing the apportionment and oversight function (CF 8, see SUP 10A.7.1 R15) and an application must be made under section 59 of the Act for approval of the individual before the function
The FCA4 will consider the full circumstances of each case when determining whether or not to take action for a financial penalty or public censure. Set out below is a list of factors that may be relevant for this purpose. The list is not exhaustive: not all of these factors may be applicable in a particular case, and there may be other factors, not listed, that are relevant.4(1) The nature, seriousness and impact of the suspected breach, including:(a) whether the breach was deliberate
In some cases it may not be appropriate to take disciplinary measures against a firm for the actions of an approved person (an example might be where the firm can show that it took all reasonable steps to prevent the breach). In other cases, it may be appropriate for the FCA4 to take action against both the firm and the approved person. For example, a firm may have breached the rule requiring it to take reasonable care to establish and maintain such systems and controls as are
1The information required pursuant to sub-sections 287(c), (d) and (e) of the Act is:(1) a programme of operations which includes the types of business the applicant proposes to undertake and the applicant's proposed organisational structure;(2) particulars of the persons who effectively direct the business and operations of the exchange; and(3) particulars of the ownership of the exchange, and in particular the identity and scale of interests of the persons who are in a position
Under section 289 of the Act (Applications: supplementary) or (for an RAP applicant) regulation 2 of the RAP regulations,3 the FCA5 may require the applicant to provide additional information, and may require the applicant to verify any information in any manner. In view of their likely importance for any application, the FCA5 will normally wish to arrange for its own inspection of an applicant's information technology systems.55
Information and supporting documentation (see REC 5.2.4 G).(1)Details of the applicant's constitution, structure and ownership, including its memorandum and articles of association (or similar or analogous documents ) and any agreements between the applicant, its owners or other persons relating to its constitution or governance (if not contained in the information listed in REC 5.2.3A G)1. An applicant for RAP status must provide details of the relationship between the governance
(1) The nature and extent of the systems and controls which a firm will need to maintain under SYSC 3.1.1 R will depend upon a variety of factors including:(a) the nature, scale and complexity of its business;(b) the diversity of its operations, including geographical diversity;(c) the volume and size of its transactions; and(d) the degree of risk associated with each area of its operation.(2) To enable it to comply with its obligation to maintain appropriate systems and controls,