SS4/16 – Internal governance of third country branches

1.1

This supervisory statement (SS) is relevant to non-EEA banks and PRA-designated investment firms in respect of their operations in the United Kingdom through branches known as ‘third country branches ‘(where singular ‘third country branch’). It sets out the PRA’s expectations for the internal governance of third country branches and how these firms should comply with the Internal Governance of Third Country Branches parts of the PRA Rulebook. The rules and supervisory statement cover the following areas:

• general organisational requirements;
• persons who effectively direct the business;
• responsibility of senior personnel;
• skills, knowledge and expertise;
• compliance and internal audit;
• risk control;
• outsourcing; and
• record keeping.

1.2

This statement replaces the guidance material previously included in chapters 4 – 9 and 21 of the Senior Management Arrangements, Systems and Controls (SYSC) section of the Handbook. It does not seek to introduce additional or new obligations nor change the PRA expectations of how non-EEA banks and PRA-designated investment firms organise their UK branches. Where relevant, the statement takes into account the requirements of the Senior Managers and Certification Regime (SM&CR) which apply to third country branches.¹

1.3

The statement should be read in conjunction with the PRA Fundamental Rules and with:

• Internal Governance of Third Country Branches parts of the PRA rulebook.
• The PRA’s approach to banking supervision (approach document)²
• Supervisory Statement SS10/14: Supervising international banks: the Prudential Regulation Authority’s approach to branch supervision,³
• Policy Statement 20/15: Strengthening individual accountability in banking: UK branches of non‐EEA banks;⁴ and
• Supervisory Statement SS28/15: Strengthening individual accountability in banking.⁵
• Supervisory Statement 34/15: Guidelines for completing regulatory reports.⁶

1.4

All PRA-authorised firms are required to meet the statutory PRA Threshold Conditions on a continuing basis. For branches in the United Kingdom, the PRA’s authorisation applies to the whole firm therefore Threshold Conditions apply to the whole firm; not just the branch in the United Kingdom.

2.1

The PRA expects that the arrangements, processes and mechanisms implemented by a third country branch should be comprehensive and proportionate to the nature, scale and complexity of the risks inherent in its business and its activities and take into account the specific technical criteria described in the Remuneration Part of the PRA Rulebook.

2.2

The PRA expects third country branches to have robust governance arrangements, which include a clear organisational structure with well defined, transparent and consistent lines of responsibility. All firms subject to the SM&CR, which includes third country branches, are required, by section 60(2A) of the Financial Services and Markets Act (FSMA), to produce a Statement of Responsibilities (SoR) for each of their individuals in scope of the regime.⁷ More specifically, SoRs must:

• clearly set out the areas of the branch’s UK regulated activities for which the senior manager is responsible;
• be included in every application for pre-approval as a senior manager; and
• be updated and resubmitted if there is a significant change to the senior manager’s responsibilities.

2.3

A third country branch is also expected to produce and maintain a Management Responsibilities Map, which is a single, up-to-date document setting out the branch’s management and governance arrangements.⁸ Responsibilities Maps should be proportionate and include information about the business relationship with the head office and group.

2.3A

Firms should be aware of the expectations set out in SS34/15 ‘Guidelines for completing regulatory reports’ in relation to the following reporting requirement for branches of third-country banks:

• risk management arrangements of the branch; and
• governance arrangements, including key function holders for the activities of the branch.

2.4

The PRA expects that, taking into account the nature, scale and complexity of the business of the third country branch, and the nature and range of the financial services activities undertaken in the course of that business, the branch should establish, implement and maintain:

• decision-making procedures and an organisational structure which clearly and in a documented manner specifies reporting lines and allocates functions and responsibilities; and
• effective internal reporting and communication of information at all relevant levels of the branch.

2.5

The PRA expects a third country branch to take reasonable steps to ensure continuity and regularity in the performance of its regulated activities.

2.6

A third country branch should establish, implement and maintain an adequate business continuity policy aimed at ensuring, in the case of an interruption to its systems and procedures, that any losses are limited. The business continuity should also ensure the preservation of essential data and functions, and the maintenance of its regulated activities, or, where that is not possible, the recovery of such data and functions and the timely resumption of those activities.

2.7

The matters dealt with in a firm’s business continuity policy should include:

• resource requirements such as people, processes, systems and other assets, and arrangements for obtaining these resources;
• the recovery priorities for the firm’s and branch’s operations;
• communication arrangements for internal and external parties concerned (including regulators, clients and the press);
• escalation and invocation plans that outline the processes for implementing the business continuity plans, together with relevant contact information;
• processes to validate the integrity of information affected by the disruption; and
• regular testing of the business continuity policy in an appropriate manner in accordance with 2.8.

2.8

A third country branch should monitor and, on a regular basis,  evaluate the adequacy and effectiveness of its systems, internal control mechanisms and arrangements established in accordance with Chapter 2 of the Internal Governance of Third Country Branches Part of the PRA Rulebook, and take appropriate measures to address any deficiencies.

3.1

The persons referred to in Chapter 3 of the Internal Governance of Third Country Branches Part of the PRA Rulebook should either be executive directors or persons granted executive powers by, and who report to, the governing body of the third country head office.

3.2

The PRA requires all third country branches to have at least one individual approved as a bespoke Senior Management Function (SMF) known as the Head of Overseas Branch (SMF19) with the option of having more than one individual if they elect to do so as set out in PS20/15 and PS29/15.⁹ The individual(s) performing the SMF19 should have the highest degree of individual decision-making authority within the third country branch over activities and areas subject to UK regulation.

3.3

The PRA expects a firm as a whole to ensure that its management is undertaken by at least two persons who satisfy the criteria in Article 91 of CRD IV.¹⁰

4.1

The PRA expects a third country branch to ensure that:

• the branch senior personnel receive on a frequent basis, and at least annually, written reports on matters covered in sections 6.5 and 7.7, including in particular whether the appropriate remedial measures have been taken in the event of any deficiencies; and
• the supervisory function, if any, receives on a regular basis written reports on the same matters.

4.2

In the PRA’s view, the supervisory function does not include a general meeting of the shareholders of the firm, or equivalent bodies, but could involve, for example, a separate supervisory body within a two-tiered board structure or the establishment of a non-executive committee of a single-tier board structure.

5.1

In the PRA’s view, a third country branch’s systems and controls should enable it to satisfy itself of the suitability of anyone who acts for it. This includes assessing an individual’s honesty and competence.

5.2

Any assessment of an individual’s suitability should take into account the level of responsibility that the individual will assume within the third country branch. The nature of the assessment will generally differ depending upon whether it takes place at the start of the individual’s recruitment, at the end of the probationary period (if there is one) or subsequently.

5.3

The Certification Regime provides a framework for third country branches to assess and certify the fitness and propriety of certain employees on appointment and at least annually thereafter.

5.4

In the PRA’s view a third country branch should ensure that the performance of multiple functions by its relevant persons does not and is not likely to prevent those persons from discharging any particular functions soundly, honestly and professionally. The senior personnel within the third country branch should define arrangements concerning the segregation of duties within the branch and the prevention of conflicts.

5.5

The effective segregation of duties is an important element in the internal controls of a third country branch in the prudential context. In particular, it helps to ensure that no one individual is completely free to commit assets or incur liabilities. Segregation can also help to ensure that the firm’s governing body receives objective and accurate information on financial performance, the risks faced by the third country branch and the adequacy of its systems.

5.6

A third country branch should normally ensure that no single individual has unrestricted authority to do all of the following:

• initiate a transaction;
• bind the third country branch or the whole firm;
• make payments; and
• account for it.

5.7

Where a third country branch is unable to ensure the complete segregation of duties (for example, because the branch has a limited number of staff), it should ensure that there is adequate compensating controls in place (for example, frequent review of an area by relevant branch senior managers).

5.8

Where a third country branch outsources its internal audit function, it should take reasonable steps to ensure that every individual involved in the performance of this service is independent from the individuals who perform its external audit. This should not prevent services from being undertaken by a firm’s external auditors provided that:

• the work is carried out under supervision and management of the third country branch’s own internal staff; and
• potential conflicts of interest between the provision of external audit services and the provision of internal audit are properly managed.

5.9

A third country branch should ensure that its relevant persons are aware of the procedures which they are expected to follow for the proper discharge of their responsibilities, including compliance with PRA and FCA Rules.

5.10

A third country branch should monitor and, on a regular basis, evaluate the adequacy and effectiveness of its systems, internal control mechanisms and arrangements established in accordance with the Internal Governance of Third Country Branches 5.1 and section 5 of this supervisory statement and take appropriate measures to address any deficiencies.

6.1

Depending on the nature, scale and complexity of its business, it may be appropriate for a third country branch to have a separate compliance function. Where a third country branch has a separate compliance function, it should be permanent, effective, operate independently and should have the following responsibilities:

• to monitor and, on a regular basis, to assess the adequacy and effectiveness of the measures and procedures put in place in accordance with Internal Governance of Third Country Branches 6.2, and the actions taken to address any deficiencies in the third country branch’s compliance with its obligations; and
• to advise and assist the relevant persons responsible for carrying out regulated activities to comply with the third country branch’s obligations under the regulatory system.

6.2

In order to enable the third country branch compliance function to discharge its responsibilities properly and independently the PRA expects that the third country branch should ensure the compliance function has the necessary authority, resources, expertise and access to all relevant information.

6.3

In addition, where appropriate and proportionate in view of the nature, scale and complexity of its business, and the nature and range of its financial services and activities, undertaken in the course of that business the PRA expects the third country branch to ensure the following conditions are met:

• the relevant persons involved in the third country branch’s compliance team should not be involved in the performance of services or activities they monitor; and
• the method of determining the remuneration of the relevant persons involved in the third country branch’s compliance function do not compromise their objectivity.

6.4

In setting the method of determining the remuneration of persons involved in the third country branch’s compliance team, the PRA expects a third country branch to comply with the Remuneration Part of the PRA Rulebook.

6.5

The PRA expects that a third country branch should, where appropriate and proportionate in view of the nature, scale and complexity of its business and the nature and range of its financial services activities, undertaken in the course of that business, establish an independent internal audit function. The internal audit function should have the following responsibilities:

• to establish, implement and maintain an audit plan to examine and evaluate the adequacy and effectiveness of the third country branch’s governance, systems, internal control mechanisms and arrangements (or alternatively, to assess the extent to which the firm’s or group’s audit plan meet local regulatory requirements and make any modifications that may be necessary);
• to issue recommendations based on the result of work carried out in accordance with the audit plan;
• to verify compliance with those recommendations; and
• to report in relation to internal audit matters in accordance with 4.1.

6.6

The term ‘internal audit function’ above refers to the generally understood concept of internal audit within a third country branch, that is, the function of assessing adherence to and the effectiveness of internal systems and controls, procedures and policies.

6.7

Where a third country branch has an individual performing the role of head of internal audit, he or she will need to be pre-approved as the Head of Internal Audit function (SMF5). This can include individuals performing this role across a range of UK legal entities, such as a regional head of internal audit responsible for this area in the firm’s UK subsidiaries as well as the branch.

7.1

Internal Governance of Third Country Branches 2.1 requires a third country branch to have effective processes to identify, classify, manage, monitor and report the risks it is or might be exposed to.

7.2

A third country branch should establish, implement and maintain adequate risk management policies and procedures, including effective procedures for risk assessment, which identify the risks relating to the third country branch’s activities, processes and systems, and where appropriate, set its risk appetite or the level of risk tolerated by the third country branch.

7.3

A third country branch should adopt effective arrangements, processes and mechanisms to identify and manage the risk relating to its activities, processes and systems, in the light of that level of risk tolerance.

7.4

The management body should approve and periodically review the strategies and policies for taking up, managing, monitoring and mitigating the risks the third country branch is or might be exposed to, including those posed by the macroeconomic environment in which it operates in relation to the status of the business cycle.

7.5

For a firm included within the scope of the Internal Capital Adequacy Assessment 15 (Reverse stress testing), the strategies, policies and procedures for identifying, taking up, managing, monitoring and mitigating the risks to which the firm is or might be exposed include conducting reverse stress tests on its business plan as well. This would further senior personnel’s understanding of the firm’s vulnerabilities and would help them design measures to prevent or mitigate the risk of business failure.

7.6

A third country branch should monitor the following:

• the adequacy and effectiveness of its risk management function, policies and procedures;
• the level of compliance by the third country branch and its relevant persons with the arrangements, processes and mechanisms adopted in accordance with 7.3; and
• the adequacy and effectiveness of measures taken to address any deficiencies in those policies, procedures, arrangements, processes and mechanisms, including failures by the relevant persons to comply with such arrangements, processes and mechanisms or follow such policies and procedures.

7.7

A third country branch should, where appropriate and proportionate in view of the nature, scale and complexity of its business and the nature and range of the financial services and activities undertaken in the course of that business, establish and maintain a risk management function that operates independently and carries out the following tasks:

• implementation of the policies and procedures referred to in 7.2 to 7.6; and
• provision of reports and advice to senior personnel in accordance with 4.1.

7.8

Where a third country branch does not maintain a risk management function that functions independently, it should nevertheless be able to demonstrate that the policies and procedures which it has adopted in accordance with 7.2 to 7.6 satisfy those provisions and are consistently effective.

7.9

In setting the method of determining the remuneration of employees involved in the risk management function, third country branches will need to comply with the Remuneration parts of the PRA Rulebook.

7.10

The term ‘risk management function’ in 7.6 and 7.8 refers to the generally understood concept of risk assessment within a firm or third country branch, that is, the function of setting and controlling risk exposure. The risk management function is not a controlled function itself, but is part of the systems and controls function (SMF4).

7.11

The PRA expects that a third country branch should consider whether in order to fulfil Internal Governance for Third Country Branches 2.1 and the general organisational requirements in this supervisory statement, their risk control arrangements should include:

• the appointment of a branch head of risk; and the
• establishment of a branch risk management oversight team whose role  includes giving risk oversight under an effective risk management structure and framework.

7.12

Where a third country branch has an individual performing the role of head of risk, he or she will need to be pre-approved as the Head of Risk function (SMF4) as explained in SS28/15 Strengthening individual accountability in banking.¹¹ This can include individuals performing this role across a range of UK legal entities, such as an regional CRO responsible for this area in the firm’s UK subsidiaries as well as the branch. The PRA expects that an SMF4 should:

• be accountable to the management body of  the firm for oversight of branch-wide risk management;
• be fully independent of a branch’s individual business units;
• have sufficient authority, stature and resources for the effective execution of his/her responsibilities;
• have unfettered access to any parts of the branch’s business capable of having an impact on the branch’s risk profile;
• ensure that the data used by the branch to assess its risks are fit for purpose in terms of quality, quantity and breadth;
• provide oversight and challenge of the branch’s systems and controls in respect of risk management;
• provide oversight and validation of the branch’s reporting of risk;
• ensure the adequacy of risk information, risk analysis and risk training provided to members of the branch’s management team;
• report to the branch’s management team (and, if appropriate, to the management body of a firm) on the branch’s risk exposures relative to its risk appetite and tolerance, and the extent to which the risks inherent in any proposed business strategy and plans are consistent with the branch’s risk appetite and tolerance. The branch head of risk should also alert the branch’s management team and provide challenge on, any business strategy or plans that exceed the branch’s risk appetite and tolerance; and
• provide risk-focused advice and information into the setting and individual application of the branch’s remuneration policy consistent with the Remuneration Part of the PRA Rulebook.

7.13

The PRA expects that a third country branch will structure its arrangements so that a senior management personnel at an appropriate level within the group will exercise functions in 7.12 taking into account group-wide risks.

7.14

Where a third country branch has an individual performing the role of head of risk they should be accountable to a branch’s management team and, in most cases, to the head of the firm or group risk management function. The PRA recognises that in addition, a reporting line should be established for operational purposes. Accordingly, to the extent necessary for effective operational management, the branch head of risk should report into the most senior branch management personnel. In practice, the PRA expects this to be the Head of Overseas Branch (SMF19) or another manager with a reporting line to the SMF19.

7.15

A third country branch should ensure that its branch head of risk’s remuneration is subject to approval by the firm’s management body, or an appropriate sub-committee. A third country branch should also ensure that the branch head of risk may not be removed from that role without the approval of the firm’s management body or its head office.

7.16

The PRA expects that, while a branch’s management team is ultimately responsible for risk governance throughout the business, a third country branch should consider establishing a mechanism for providing risk oversight to the branch’s business activities to provide focused support and advice on risk governance.  Where a third country branch has established a risk oversight team its responsibilities should typically include:

• providing advice to the branch’s management team on risk strategy, including the oversight of current risk exposures of the branch, with particular, but not exclusive, emphasis on prudential risks;
• development of proposals for consideration by the branch management team in respect of overall risk appetite and tolerance, as well as the metrics to be used to monitor the branch’s risk management performance;
• oversight and challenge of the design and execution of stress and scenario testing;
• oversight and challenge of the day-to-day risk management and oversight arrangements of the branch management team;
• oversight and challenge of due diligence on risk issues relating to material transactions and strategic proposals that are subject to approval by the branch management team; and
• providing advice, oversight and challenge necessary to embed and maintain a supportive risk culture throughout the branch.

7.17

In carrying out their risk governance responsibilities, a third country branch’s management team and branch risk oversight function covering the branch should have regard to any relevant advice from the firm’s audit committee concerning the effectiveness of its current control framework. In addition, they should remain alert to the possible need for expert advice and support on any risk issue, taking action to ensure that they receive such advice and support as may be necessary to meet their responsibilities effectively.

8.1

A third country branch should ensure that when relying on a third party for the performance of operational functions which are critical for the performance of its regulated activities, listed activities or ancillary services on a continuous and satisfactory basis, it takes reasonable steps to avoid undue additional operational risk.

8.2

A third country branch should not undertake the outsourcing of important operational functions in such a way as to impair materially:

• the quality of its internal control; and
• the ability of the appropriate regulator to monitor the branch’s compliance with all obligations under the regulatory system.

8.3

Internal Governance for Third Country Branches 2.1 requires a third country branch to have effective processes to identify, manage, monitor and report risks and internal control mechanisms. Except in relation to those functions described in 8.5, where a firm relies on a third party for the performance of operational functions which are not critical or important for the performance of relevant services and activities (see 8.1). On a continuous and satisfactory basis, it should take into account in a manner that is proportionate given the nature, scale and complexity of the outsourcing, the provisions in this section in complying with the rule.

8.4

An operational function is regarded as critical or important if a defect or failure in its performance would materially impair the continuing compliance of a third country branch with the conditions and obligations of its authorisation or its other obligations under the regulatory system, its financial performance, or the soundness or the continuity of its relevant services and activities.

8.5

Without prejudice to the status of any other function, the following functions should not be considered as critical or important for the purposes of this section:

• the provision to the branch of advisory services, and other services which do not form part of the relevant services and activities of the branch, including the provision of legal advice to the branch, the training of personnel of the branch, billing services and the security of the branch’s premises and personnel; and
• the purchase of standardised services, including market information services and the provision of price feeds.

8.6

The PRA expects a third country branch to exercise due skill, care and diligence when entering into, managing or terminating any arrangement for the outsourcing to a service provider of critical or important operational functions or of any relevant services and activities.

8.7

A third country branch should take the necessary steps to ensure that the following conditions are satisfied:

• the service provider should have the ability, capacity, and any authorisation required by law to perform the outsourced functions, services or activities reliably and professionally;
• the service provider should carry out the outsourced services effectively, and to this end the branch establishes methods for assessing the standard of performance of the service provider;
• the service provider should properly supervise the carrying out of the outsourced functions, and adequately manage the risks associated with the outsourcing;
• appropriate action should be taken if it appears that the service provider may not be carrying out the functions effectively and in compliance with applicable laws and regulatory requirements;
• the branch should retain the necessary expertise to supervise the outsourced functions effectively and to manage the risks associated with the outsourcing, and supervise those functions and manage associated risks;
• the service provider should disclose to the branch any development that may have a material impact on its ability to carry out the outsourced functions effectively and in compliance with applicable laws and regulatory requirements;
• the branch should be able to terminate the arrangement for the outsourcing where necessary without detriment to the continuity and quality of its provision of services to clients;
• the service provider should co-operate with the PRA and any other relevant competent authority in connection with the outsourced activities;
• the branch, its auditors, the PRA and any other relevant competent authority should  have effective access to data related to the outsourced activities, as well as to the business premises of the service provider; and the appropriate regulator and any other relevant competent authority must be able to exercise those rights of access;
• the service provider should protect any confidential information relating to the branch and its clients; and
• the branch and the service provider should establish, implement and maintain a contingency plan for disaster recovery and periodic testing of backup facilities where that is necessary having regard to the function, service or activity that has been outsourced.

8.8

A third country branch should ensure that the respective rights and obligations of the branch and the service provider are clearly allocated and set out in a written agreement.

8.9

If a third country branch and the service provider are members of the same group, the branch may, for the purposes of 8.6 to 8.8 and 8.10 and 8.11, take into account the extent to which the branch controls the service provider or has the ability to influence its actions.

8.10

A third country branch should make available on request to the PRA and any other relevant competent authority, all information necessary to enable the PRA and any other relevant competent authority to supervise the compliance of the performance of the outsourced activities with the requirements of the regulatory system.

8.11

A third country branch should notify the PRA when it intends to rely on a third party for the performance of operational functions which are critical or important for the performance of relevant services and activities on a continuous and satisfactory basis.

9.1

Subject to any other record-keeping rule, the PRA expects records to be capable of being reproduced in the English language on paper. Where a third country branch is expected or required to retain a record of a communication that was not made in the English language, it may retain it in that language. However, it should be able to provide a translation on request. If a third country branch’s records relate to business carried on from an establishment in a country or territory outside the United Kingdom, an official language of that country or territory may be used instead of English.

9.2

A third country branch should have appropriate systems and controls in place with respect to the adequacy of, access to, and the security of its records so that the branch may fulfil its regulatory and statutory obligations. With respect to retention periods, the PRA expects that records should be retained for as long as is relevant for the purposes for which they are made.