2

General Requirements

2.1

A firm must have robust governance arrangements, which include a clear organisational structure with well defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks it is or might be exposed to, and internal control mechanisms, including sound administrative and accounting procedures and effective control and safeguard arrangements for information processing systems.

[Note: Art. 74(1) of the CRD, Art. 13(5) second paragraph of MiFID]

2.2

The arrangements, processes and mechanisms referred to in 2.1 must be comprehensive and proportionate to the nature, scale and complexity of the risks inherent in the business model and of the firm's activities and must take into account the specific technical criteria described in 2.6, Skills, Knowledge and Expertise 3.2, Risk Control and (for a firm to which SYSC 19A applies), SYSC 19A of the PRA Handbook.

2.3

A firm must, taking into account the nature, scale and complexity of the business of the firm, and the nature and range of the financial services and activities undertaken in the course of that business establish, implement and maintain:

  1. (1) decision-making procedures and an organisational structure which clearly and in a documented manner specifies reporting lines and allocates functions and responsibilities;
  2. (2) adequate internal control mechanisms designed to secure compliance with decisions and procedures at all levels of the firm; and
  3. (3) effective internal reporting and communication of information at all relevant levels of the firm.

[Note: Arts. 5(1) final paragraph, 5(1)(a), 5(1)(c) and 5(1)(e) of the MiFID implementing Directive]

2.4

A firm must establish, implement and maintain systems and procedures that are adequate to safeguard the security, integrity and confidentiality of information, taking into account the nature of the information in question.

[Note: Art. 5(2) of the MiFID implementing Directive]

2.5

A firm must take reasonable steps to ensure continuity and regularity in the performance of its regulated activities. To this end the firm must employ appropriate and proportionate systems, resources and procedures.

[Note: Art. 13(4) of MiFID]

2.6

A firm must establish, implement and maintain an adequate business continuity policy aimed at ensuring, in the case of an interruption to its systems and procedures, that any losses are limited, the preservation of essential data and functions, and the maintenance of its regulated activities, or, where that is not possible, the timely recovery of such data and functions and the timely resumption of those activities.

[Note: Art. 5(3) of the MiFID implementing Directive and Art 85(2) of the CRD]

2.7

A firm must establish, implement and maintain accounting policies and procedures that enable it, at the request of the PRA, to deliver in a timely manner to the PRA financial reports which reflect a true and fair view of its financial position and which comply with all applicable accounting standards and rules.

[Note: Art. 5(4) of the MiFID implementing Directive]

2.8

A firm must monitor and, on a regular basis, evaluate the adequacy and effectiveness of its systems, internal control mechanisms and arrangements established in accordance with 2.3 to 2.7 and take appropriate measures to address any deficiencies.

[Note: Art. 5(5) of the MiFID implementing Directive]

2.9

  1. (1) A firm must have in place appropriate procedures for its employees to report breaches internally through a specific, independent and autonomous channel.
  2. (2) The channel in (1) may be provided through arrangements provided for by social partners.

[Note: Art. 71 (3) of the CRD]