Prudential Regulation Authority Rulebook

2.1

A firm must have robust governance arrangements, which include a clear organisational structure with well defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks it is or might be exposed to, and internal control mechanisms, including sound administrative and accounting procedures and effective control and safeguard arrangements for information processing systems.

[Note: Art. 74(1) of the CRD, Art. 16(5) second paragraph of MiFID II]

2.2

The arrangements, processes and mechanisms referred to in 2.1 must be comprehensive and proportionate to the nature, scale and complexity of the risks inherent in the business model and of the firm's activities and must take into account the specific technical criteria described in 2.6, Skills, Knowledge and Expertise 3.2, Risk Control and Remuneration.

[Note: Art. 74(2) of the CRD]

2.2A

A MiFID investment firm must extend the arrangements required by the Article 21 Organisational Requirements, so they apply with respect to other matters on the following basis:

1. (1) references to “investment services and activities” are references to financial services and activities;
2. (2) references to “relevant persons” are references to relevant persons; and
3. (3) references to “Article 25(2)” are references to General Organisational Requirements 4.2.

2.2B

A firm that is not a MiFID investment firm must comply with the Article 21 Organisational Requirements, on the basis set out in 2.2A and as if references to “investment firm” refer to a firm.

2.3

2.4

A firm must establish, implement and maintain systems and procedures that are adequate to safeguard the security, integrity and confidentiality of information, taking into account the nature of the information in question. Without prejudice to the ability of a competent authority to require access to communications in accordance with applicable law, a firm must have sound security mechanisms in place to guarantee the security and authentication of the means of transfer of information, minimise the risk of data corruption and unauthorised access and to prevent information leakage maintaining the confidentiality of the data at all times.

[Note: Art. 16(5) of the MiFID II]

2.5

A firm must take reasonable steps to ensure continuity and regularity in the performance of its regulated activities. To this end the firm must employ appropriate and proportionate systems, resources and procedures.

[Note: Art. 16(4) of MiFID II]

2.6

A firm must establish, implement and maintain contingency and business continuity plans to ensure the firm’s ability to operate on an ongoing basis and limit losses on the event of severe business disruption.

[Note: Art. 85(2) of the CRD]

2.7

2.8

A firm must monitor and, on a regular basis, evaluate the adequacy and effectiveness of its systems, internal control mechanisms and arrangements established in accordance with this Chapter and take appropriate measures to address any deficiencies.

2.9