SYSC Senior Management Arrangements, Systems and Controls sourcebook

Export part as

SYSC 1

Application and purpose

SYSC 1.1A

Application



[Note: ESMA has also issued guidelines under article 16(3) of the ESMA Regulation covering:



- various topics relating to automated trading and direct electronic access. See

and



- certain aspects of the MiFID suitability requirements which also deal with the system and control aspects of suitability. See http://www.esma.europa.eu/content/Guidelines-certain-aspects-MiFID-suitability-requirements.]

SYSC 1.1A.1

See Notes

handbook-guidance
The application of this sourcebook is summarised at a high level in the following table. The detailed application is cut back in SYSC 1 Annex 1 and in the text of each chapter.

Firms that SYSC 19D applies to should also refer to the Remuneration part of the PRA Rulebook

SYSC 1.1A.1A

See Notes

handbook-guidance
Chapters 4 to 9 are not applicable to CRR firms (other than incoming firms).

SYSC 1.1A.2

See Notes

handbook-guidance
The provisions in SYSC should be read in conjunction with GEN 2.2.23 R to GEN 2.2.25 G. In particular:
(1) Provisions made by both the FCA and PRA may contain obligations for or references to FCA-authorised persons. GEN 2.2.23 R limits the application of those provisions so that the PRA will only apply them in respect of PRA-authorised persons and not to such FCA-authorised persons as are included within the provision.
(2) Provisions made by both the FCA and PRA may be applied by both regulators to PRA-authorised persons. Such provisions are applied by each regulator to the extent of its powers and regulatory responsibilities.

SYSC 1.2

Purpose

SYSC 1.2.1A

See Notes

handbook-guidance
The purposes of SYSC are:
(1) to encourage firms' directors and senior managers to take appropriate practical responsibility for their firms' arrangements on matters likely to be of interest to the PRA because they impinge on the PRA's functions under the Act;
(2) to encourage firms to vest responsibility for effective and responsible organisation in specific directors and senior managers; and
(3) to create a common platform of organisational and systems and controls requirements for all firms.

SYSC 1.4

Application of SYSC 11 to SYSC 21

What?

SYSC 1.4.1

See Notes

handbook-guidance
The application of each of chapters SYSC 11 to SYSC 21 is set out in those chapters and in SYSC 1.4.1A R.

SYSC 1.4.1A

See Notes

handbook-rule
SYSC 12, SYSC 19A, SYSC 19D, SYSC 20 and SYSC 21 do not apply to a firm in relation to its carrying on of auction regulation bidding.

SYSC 1.4.1B

See Notes

handbook-guidance
Apart from SYSC 12, SYSC 19A, SYSC 19D, SYSC 20 and SYSC 21 which are disapplied by SYSC 1.4.1A R, the other chapters of SYSC 11 to SYSC 17 do not apply in relation to a firm's carrying on of auction regulation bidding because they only apply to an insurer. SYSC 18 provides guidance on the Public Interest Disclosure Act.

SYSC 1 Annex 1

Detailed application of SYSC

SYSC 2

Senior management arrangements

SYSC 2.1

Apportionment of Responsibilities

SYSC 2.1.1

See Notes

handbook-rule
A firm must take reasonable care to maintain a clear and appropriate apportionment of significant responsibilities among its directors and senior managers in such a way that:
(1) it is clear who has which of those responsibilities; and
(2) the business and affairs of the firm can be adequately monitored and controlled by the directors, relevant senior managers and governing body of the firm.

SYSC 2.1.1A

See Notes

handbook-guidance
Firms should also consider the additional guidance on risk-centric governance arrangements for effective risk management contained in SYSC 21.

SYSC 2.1.2

See Notes

handbook-guidance
The role undertaken by a non-executive director will vary from one firm to another. For example, the role of a non-executive director in a friendly society may be more extensive than in other firms. Where a non-executive director is an approved person, for example where the firm is a body corporate, his responsibility and therefore liability will be limited by the role that he undertakes.

SYSC 2.1.3

See Notes

handbook-rule
A firm must appropriately allocate to one or more individuals, in accordance with SYSC 2.1.4 R, the functions of:
(1) dealing with the apportionment of responsibilities under SYSC 2.1.1 R; and
(2) overseeing the establishment and maintenance of systems and controls under SYSC 3.1.1 R.

SYSC 2.1.4

See Notes

handbook-rule

Allocation of functions

This table belongs to SYSC 2.1.3 R

SYSC 2.1.5

See Notes

handbook-guidance
SYSC 2.1.3 R and SYSC 2.1.4 R give a firm some flexibility in the individuals to whom the functions may be allocated. It will be common for both the functions to be allocated solely to the firm's chief executive. SYSC 2.1.6 G contains further guidance on the requirements of SYSC 2.1.3 R and SYSC 2.1.4 R in a question and answer form.

SYSC 2.1.6

See Notes

handbook-guidance

Frequently asked questions about allocation of functions in SYSC 2.1.3 R

This table belongs to SYSC 2.1.5 G

SYSC 2.2

Recording the apportionment

SYSC 2.2.1

See Notes

handbook-rule
(1) A firm must make a record of the arrangements it has made to satisfy SYSC 2.1.1 R (apportionment) and SYSC 2.1.3 R (allocation) and take reasonable care to keep this up to date.
(2) This record must be retained for six years from the date on which it was superseded by a more up-to-date record.

SYSC 2.2.2

See Notes

handbook-guidance
(1) A firm will be able to comply with SYSC 2.2.1 R by means of records which it keeps for its own purposes provided these records satisfy the requirements of SYSC 2.2.1 R and provided the firm takes reasonable care to keep them up to date. Appropriate records might, for this purpose, include organisational charts and diagrams, project management documents, job descriptions, committee constitutions and terms of reference provided they show a clear description of the firm's major functions.
(2) Firms should record any material change to the arrangements described in SYSC 2.2.1 R as soon as reasonably practicable after that change has been made.

SYSC 2.2.3

See Notes

handbook-guidance
Where responsibilities have been allocated to more than one individual, the firm's record should show clearly how those responsibilities are shared or divided between the individuals concerned.

SYSC 3

Systems and Controls

SYSC 3.1

Systems and Controls

SYSC 3.1.1

See Notes

handbook-rule
A firm must take reasonable care to establish and maintain such systems and controls as are appropriate to its business.

SYSC 3.1.2

See Notes

handbook-guidance
(1) The nature and extent of the systems and controls which a firm will need to maintain under SYSC 3.1.1 R will depend upon a variety of factors including:
(a) the nature, scale and complexity of its business;
(b) the diversity of its operations, including geographical diversity;
(c) the volume and size of its transactions; and
(d) the degree of risk associated with each area of its operation.
(2) To enable it to comply with its obligation to maintain appropriate systems and controls, a firm should carry out a regular review of them.
(3) The areas typically covered by the systems and controls referred to in SYSC 3.1.1 R are those identified in SYSC 3.2. Detailed requirements regarding systems and controls relevant to particular business areas or particular types of firm are covered elsewhere in the Handbook.

SYSC 3.1.2A

See Notes

handbook-guidance
Firms should also consider the additional guidance on risk-centric governance arrangements for effective risk management contained in SYSC 21.

SYSC 3.1.3

See Notes

handbook-guidance
Where the UK Corporate Governance Code is relevant to a firm, the appropriate regulator, in considering whether the firm's obligations under SYSC 3.1.1 R have been met, will give it due credit for following corresponding provisions in the codeand related guidance.

SYSC 3.1.5

See Notes

handbook-guidance
SYSC 2.1.3 R (2) prescribes how a firm must allocate the function of overseeing the establishment and maintenance of systems and controls described in SYSC 3.1.1 R.

SYSC 3.1.6

See Notes

handbook-rule
A firm which is not a common platform firm must employ personnel with the skills, knowledge and expertise necessary for the discharge of the responsibilities allocated to them.

SYSC 3.1.7

See Notes

handbook-rule
When complying with the competent employees rules, a firm must take into account the nature, scale and complexity of its business and the nature and range of financial services and activities undertaken in the course of that business.

SYSC 3.1.10

See Notes

handbook-guidance
If a firm requires employees who are not subject to a qualification requirement in TC to pass a relevant examination from the list of recommended examinations maintained by the Financial Skills Partnership, the appropriate regulator will take that into account when assessing whether the firm has ensured that the employee satisfies the knowledge component of the competent employees rule.

SYSC 3.2

Areas covered by systems and controls

Introduction

SYSC 3.2.1

See Notes

handbook-guidance
This section covers some of the main issues which a firm is expected to consider in establishing and maintaining the systems and controls appropriate to its business, as required by SYSC 3.1.1 R.

Organisation

SYSC 3.2.2

See Notes

handbook-guidance
A firm's reporting lines should be clear and appropriate having regard to the nature, scale and complexity of its business. These reporting lines, together with clear management responsibilities, should be communicated as appropriate within the firm.

SYSC 3.2.3

See Notes

handbook-guidance
(1) A firm's governing body is likely to delegate many functions and tasks for the purpose of carrying out its business. When functions or tasks are delegated, either to employees or to appointed representatives or, where applicable, its tied agents, appropriate safeguards should be put in place.
(2) When there is delegation, a firm should assess whether the recipient is suitable to carry out the delegated function or task, taking into account the degree of responsibility involved.
(3) The extent and limits of any delegation should be made clear to those concerned.
(4) There should be arrangements to supervise delegation, and to monitor the discharge of delegates functions or tasks.
(5) If cause for concern arises through supervision and monitoring or otherwise, there should be appropriate follow-up action at an appropriate level of seniority within the firm.

SYSC 3.2.4

See Notes

handbook-guidance
(1) The guidance relevant to delegation within the firm is also relevant to external delegation ('outsourcing'). A firm cannot contract out its regulatory obligations. So, for example, under Principle 3 a firm should take reasonable care to supervise the discharge of outsourced functions by its contractor.
(2) A firm should take steps to obtain sufficient information from its contractor to enable it to assess the impact of outsourcing on its systems and controls.

SYSC 3.2.5

See Notes

handbook-guidance
Where it is made possible and appropriate by the nature, scale and complexity of its business, a firm should segregate the duties of individuals and departments in such a way as to reduce opportunities for financial crime or contravention of requirements and standards under the regulatory system. For example, the duties of front-office and back-office staff should be segregated so as to prevent a single individual initiating, processing and controlling transactions.

The compliance function

SYSC 3.2.7

See Notes

handbook-guidance
(1) Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to have a separate compliance function. The organisation and responsibilities of a compliance function should be documented. A compliance function should be staffed by an appropriate number of competent staff who are sufficiently independent to perform their duties objectively. It should be adequately resourced and should have unrestricted access to the firm's relevant records as well as ultimate recourse to its governing body.
(2) [deleted]
(3) [deleted]

Risk assessment

SYSC 3.2.10

See Notes

handbook-guidance
(1) Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to have a separate risk assessment function responsible for assessing the risks that the firm faces and advising the governing body and senior managers on them.
(2) The organisation and responsibilities of a risk assessment function should be documented. The function should be adequately resourced and staffed by an appropriate number of competent staff who are sufficiently independent to perform their duties objectively.
(3) The term 'risk assessment function' refers to the generally understood concept of risk assessment within a firm, that is, the function of setting and controlling risk exposure. The risk assessment function is not a controlled function itself, but is part of the systems and controls function (CF28).

Management information

SYSC 3.2.11B

See Notes

handbook-guidance
(1) A firm's arrangements should be such as to furnish its governing body with the information it needs to play its part in identifying, measuring, managing and controlling risks of regulatory concern. Three factors will be the relevance, reliability and timeliness of that information.
(2) Risks of regulatory concern are those risks which relate to the safety and soundness of PRA-authorised persons.

SYSC 3.2.12

See Notes

handbook-guidance
It is the responsibility of the firm to decide what information is required, when, and for whom, so that it can organise and control its activities and can comply with its regulatory obligations. The detail and extent of information required will depend on the nature, scale and complexity of the business.

Employees and agents

SYSC 3.2.13

See Notes

handbook-guidance
A firm's systems and controls should enable it to satisfy itself of the suitability of anyone who acts for it.

SYSC 3.2.14

See Notes

handbook-guidance
(1) SYSC 3.2.13 G includes assessing an individual's honesty, and competence. This assessment should normally be made at the point of recruitment. An individual's honesty need not normally be revisited unless something happens to make a fresh look appropriate.
(2) Any assessment of an individual's suitability should take into account the level of responsibility that the individual will assume within the firm. The nature of this assessment will generally differ depending upon whether it takes place at the start of the individual's recruitment, at the end of the probationary period (if there is one) or subsequently.
(3) [deleted]
(4) The requirements on firms with respect to approved persons are in Part V of the Act (Performance of regulated activities) and SUP 10.

Audit committee

SYSC 3.2.15

See Notes

handbook-guidance
Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to form an audit committee. An audit committee could typically examine management's process for ensuring the appropriateness and effectiveness of systems and controls, examine the arrangements made by management to ensure compliance with requirements and standards under the regulatory system, oversee the functioning of the internal audit function (if applicable - see SYSC 3.2.16 G) and provide an interface between management and the external auditors. It should have an appropriate number of non-executive directors and it should have formal terms of reference.

Internal audit

SYSC 3.2.16

See Notes

handbook-guidance
(1) Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to delegate much of the task of monitoring the appropriateness and effectiveness of its systems and controls to an internal audit function. An internal audit function should have clear responsibilities and reporting lines to an audit committee or appropriate senior manager, be adequately resourced and staffed by competent individuals, be independent of the day-to-day activities of the firm and have appropriate access to a firm's records.
(2) The term 'internal audit function' refers to the generally understood concept of internal audit within a firm, that is, the function of assessing adherence to and the effectiveness of internal systems and controls, procedures and policies. The internal audit function is not a controlled function itself, but is part of the systems and controls function (CF28).

Business strategy

SYSC 3.2.17

See Notes

handbook-guidance
A firm should plan its business appropriately so that it is able to identify, measure, manage and control risks of regulatory concern (see SYSC 3.2.11 G (2)). In some firms, depending on the nature, scale and complexity of their business, it may be appropriate to have business plans or strategy plans documented and updated on a regular basis to take account of changes in the business environment.

Remuneration policies

SYSC 3.2.18

See Notes

handbook-guidance
It is possible that firms' remuneration policies will from time to time lead to tensions between the ability of the firm to meet the requirements and standards under the regulatory system and the personal advantage of those who act for it. Where tensions exist, these should be appropriately managed.

Business continuity

SYSC 3.2.19

See Notes

handbook-guidance
A firm should have in place appropriate arrangements, having regard to the nature, scale and complexity of its business, to ensure that it can continue to function and meet its regulatory obligations in the event of an unforeseen interruption. These arrangements should be regularly updated and tested to ensure their effectiveness.

Records

SYSC 3.2.20

See Notes

handbook-rule
(1) A firm must take reasonable care to make and retain adequate records of matters and dealings (including accounting records) which are the subject of requirements and standards under the regulatory system.
(2) Subject to (3) and to any other record-keeping rule in the Handbook, the records required by (1) or by such other rule must be capable of being reproduced in the English language on paper.
(3) If a firm's records relate to business carried on from an establishment in a country or territory outside the United Kingdom, an official language of that country or territory may be used instead of the English language as required by (2).

SYSC 3.2.21

See Notes

handbook-guidance
A firm should have appropriate systems and controls in place to fulfil the firm's regulatory and statutory obligations with respect to adequacy, access, periods of retention and security of records. The general principle is that records should be retained for as long as is relevant for the purposes for which they are made.

SYSC 3.2.22

See Notes

handbook-guidance
Detailed record-keeping requirements for different types of firm are to be found elsewhere in the Handbook. Schedule 1 to the Handbook is a consolidated schedule of these requirements.

SYSC 4

General organisational requirements

SYSC 4.1

General requirements

[Note: ESMA has also issued guidelines under article 16(3) of the ESMA Regulation covering certain aspects of the MiFID compliance function requirements. See http://www.esma.europa.eu/content/Guidelines-certain-aspects-MiFID-compliance-function-requirements.]

SYSC 4.1.1

See Notes

handbook-rule
(1) A firm must have robust governance arrangements, which include a clear organisational structure with well defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks it is or might be exposed to, and internal control mechanisms, including sound administrative and accounting procedures and effective control and safeguard arrangements for information processing systems.
(2) [deleted]

[Note: article 74 (1) of CRD, article 13(5) second paragraph of MiFID, article 12(1)(a) of the UCITS Directive, and article 18(1) of AIFMD]

SYSC 4.1.2

See Notes

handbook-rule
For a common platform firm, the arrangements, processes and mechanisms referred to in SYSC 4.1.1 R must be comprehensive and proportionate to the nature, scale and complexity of the risks inherent in the business model and of the common platform firm's activities and must take into account the specific technical criteria described in SYSC 4.1.7 R, SYSC 5.1.7 R, SYSC 7 and Band whichever of the following as applicable:
(1) (for a firm to which SYSC 19A applies) SYSC 19A (IFPRU Remuneration Code);
(2) (for a full-scope UK AIFM) SYSC 19B (AIFM Remuneration Code);
(3) (for a firm to which SYSC 19C applies) SYSC 19C (BIPRU Remuneration Code);
(4) (for a firm to which SYSC 19D applies) SYSC 19D (Dual-regulated firms Remuneration Code); or
(5) (for a firm to which the Remuneration part of the PRA Rulebook applies) the Remuneration part of the PRA Rulebook.
[Note: article 74 (2) of CRD]

SYSC 4.1.2A

See Notes

handbook-guidance
Other firms should take account of the comprehensiveness and proportionality rule (SYSC 4.1.2 R) as if it were guidance (and as if "should" appeared in that rule instead of "must") as explained in SYSC 1 Annex 1.3.3 G.

Mechanisms and procedures for a firm

SYSC 4.1.4

See Notes

handbook-rule
A firm (with the exception of a sole trader who does not employ any person who is required to be approved under section 59 of the Act (Approval for particular arrangements)) must, taking into account the nature, scale and complexity of the business of the firm, and the nature and range of the financial services and activities undertaken in the course of that business:
(1) (if it is a common platform firm or a management company) establish, implement and maintain decision-making procedures and an organisational structure which clearly and in a documented manner specifies reporting lines and allocates functions and responsibilities;
(2) establish, implement and maintain adequate internal control mechanisms designed to secure compliance with decisions and procedures at all levels of the firm;
(3) (if it is a common platform firm) establish, implement and maintain effective internal reporting and communication of information at all relevant levels of the firm; and
(4) (if it is a management company) establish, implement and maintain effective internal reporting and communication of information at all relevant levels of the management company as well as effective information flows with any third party involved.
[Note: articles 5(1) final paragraph, 5(1)(a), 5(1)(c) and 5(1)(e) of the MiFID implementing Directive and articles 4(1) final paragraph, 4(1)(a), 4(1)(c) and 4(1)(d) of the UCITS implementing Directive]

SYSC 4.1.4A

See Notes

handbook-guidance
A firm that is not a common platform firm or a management company should take into account the decision-making procedures and effective internal reporting rules (SYSC 4.1.4R (1), (3) and (4)) as if they were guidance (and as if "should" appeared in those rules instead of "must") as explained in SYSC 1 Annex 1.3.3 G.

SYSC 4.1.5

See Notes

handbook-rule
A MiFID investment firm and a management company must establish, implement and maintain systems and procedures that are adequate to safeguard the security, integrity and confidentiality of information, taking into account the nature of the information in question.
[Note: article 5(2) of the MiFID implementing Directive and article 4(2) of the UCITS implementing Directive]

Business continuity

SYSC 4.1.6

See Notes

handbook-rule
A common platform firm must take reasonable steps to ensure continuity and regularity in the performance of its regulated activities. To this end the common platform firm must employ appropriate and proportionate systems, resources and procedures.
[Note: article 13(4) of MiFID]

SYSC 4.1.7

See Notes

handbook-rule
A common platform firm and a management company must establish, implement and maintain an adequate business continuity policy aimed at ensuring, in the case of an interruption to its systems and procedures, that any losses are limited, the preservation of essential data and functions, and the maintenance of its regulated activities, or, in the case of a management company, its collective portfolio management activities, or, where that is not possible, the timely recovery of such data and functions and the timely resumption of those activities.
[Note: article 5(3) of the MiFID implementing Directive,annex V paragraph 13 of the Banking Consolidation Directive, article 4(3) of the UCITS implementing Directive and article 85(2) of the CRD]

SYSC 4.1.7A

See Notes

handbook-guidance
Other firms should take account of the business continuity rules (SYSC 4.1.6 R and 4.1.7 R) as if they were guidance (and as if "should" appeared in those rules instead of "must") as explained in SYSC 1 Annex 1.3.3 G.

SYSC 4.1.8

See Notes

handbook-guidance
The matters dealt with in a business continuity policy should include:
(1) resource requirements such as people, systems and other assets, and arrangements for obtaining these resources;
(2) the recovery priorities for the firm's operations;
(3) communication arrangements for internal and external concerned parties (including the appropriate regulator , clients and the press);
(4) escalation and invocation plans that outline the processes for implementing the business continuity plans, together with relevant contact information;
(5) processes to validate the integrity of information affected by the disruption; and
(6) regular testing of the business continuity policy in an appropriate and proportionate manner in accordance with SYSC 4.1.10 R.

Accounting policies

SYSC 4.1.9

See Notes

handbook-rule
A common platform firm and a management company must establish, implement and maintain accounting policies and procedures that enable it, at the request of the appropriate regulator, to deliver in a timely manner to the appropriate regulator financial reports which reflect a true and fair view of its financial position and which comply with all applicable accounting standards and rules.
[Note: article 5(4) of the MiFID implementing Directive and article 4(4) of the UCITS implementing Directive]

Regular monitoring

SYSC 4.1.10

See Notes

handbook-rule
A common platform firm and a management company must monitor and, on a regular basis, evaluate the adequacy and effectiveness of its systems, internal control mechanisms and arrangements established in accordance with SYSC 4.1.4 R to SYSC 4.1.9 R and take appropriate measures to address any deficiencies.
[Note: article 5(5) of the MiFID implementing Directive and article 4(5) of the UCITS implementing Directive]

SYSC 4.1.10A

See Notes

handbook-guidance
Other firms should take account of the regular monitoring rule (SYSC 4.1.10 R) as if it were guidance (and as if "should" appeared in that rule instead of "must") as explained in SYSC 1 Annex 1.3.3 G, but ignoring the cross-reference to SYSC 4.1.5 R and 4.1.9 R.

Audit committee

SYSC 4.1.11

See Notes

handbook-guidance
Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to form an audit committee. An audit committee could typically examine management's process for ensuring the appropriateness and effectiveness of systems and controls, examine the arrangements made by management to ensure compliance with requirements and standards under the regulatory system, oversee the functioning of the internal audit function (if applicable) and provide an interface between management and external auditors. It should have an appropriate number of non-executive directors and it should have formal terms of reference.

Risk control: additional guidance

SYSC 4.1.13

See Notes

handbook-guidance
Firms should also consider the additional guidance on risk-centric governance arrangements for effective risk management contained in SYSC 21.

Apportionment of responsibilities: the role of the non-executive director

SYSC 4.1.14

See Notes

handbook-guidance
The role undertaken by a non-executive director will vary from one firm to another. Where a non-executive director is an approved person, for example where the firm is a body corporate, his responsibility and therefore liability will be limited by the role that he undertakes.

SYSC 4.1.15

See Notes

handbook-rule
(1) A firm must have in place appropriate procedures for its employees to report breaches internally through a specific, independent and autonomous channel.
(2) The channel in (1) may be provided through arrangements provided for by social partners.

[Note: article 71 (3) of CRD]

SYSC 4.2

Persons who effectively direct the business

SYSC 4.2.1

See Notes

handbook-rule
The senior personnel of a common platform firm, a management companya full-scope UK AIFM, or of the UK branch of a non-EEA bank must be of sufficiently good repute and sufficiently experienced as to ensure the sound and prudent management of the firm.
[Note: article 9(1) of MiFID, article 7(1)(b) of the UCITS Directive article 8(1)(c) of AIFMD, article 11(1) second paragraph of the Banking Consolidation Directive and article 13(1) of the CRD]

SYSC 4.2.1A

See Notes

handbook-guidance
Other firms should take account of the senior personnel rule (SYSC 4.2.1 R) as if it were guidance (and as if "should" appeared in that rule instead of "must") as explained in SYSC 1 Annex 1.3.3 G.

SYSC 4.2.2

See Notes

handbook-rule
A common platform firm, a management company, a full-scope UK AIFM and the UK branch of a non-EEA bank must ensure that its management is undertaken by at least two persons meeting the requirements laid down in SYSC 4.2.1 R and, for a full-scope UK AIFM, SYSC 4.2.7 R.
[Note: article 9(4) first paragraph of MiFID, article 7(1)(b) of the UCITS Directive, article 8(1)(c) of AIFMD and article 13(1) of CRD]

SYSC 4.2.3

See Notes

handbook-guidance
In the case of a body corporate, the persons referred to in SYSC 4.2.2 R should either be executive directors or persons granted executive powers by, and reporting immediately to, the governing body. In the case of a partnership, they should be active partners.

SYSC 4.2.4

See Notes

handbook-guidance
At least two independent minds should be applied to the formulation and implementation of the policies of a common platform firm, a management company, a full-scope UK AIFM and the UK branch of a non-EEA bank. Where a firm nominates just two individuals to direct its business, the appropriate regulator will not regard them as both effectively directing the business where one of them makes some, albeit significant, decisions relating to only a few aspects of the business. Each should play a part in the decision-making process on all significant decisions. Both should demonstrate the qualities and application to influence strategy, day-to-day policy and its implementation. This does not require their day-to-day involvement in the execution and implementation of policy. It does, however, require involvement in strategy and general direction, as well as knowledge of, and influence on, the way in which strategy is being implemented through day-to-day policy.

SYSC 4.2.5

See Notes

handbook-guidance
Where there are more than two individuals directing the business of a common platform firm, a management company, a full-scope UK AIFM or the UK branch of a non-EEA bank, the appropriate regulator does not regard it as necessary for all of these individuals to be involved in all decisions relating to the determination of strategy and general direction. However, at least two individuals should be involved in all such decisions. Both individuals' judgement should be engaged so that major errors leading to difficulties for the firm are less likely to occur. Similarly, each individual should have sufficient experience and knowledge of the business and the necessary personal qualities and skills to detect and resist any imprudence, dishonesty or other irregularities by the other individual. Where a single individual, whether a chief executive, managing director or otherwise, is particularly dominant in such a firm this will raise doubts about whether SYSC 4.2.2 R is met.

SYSC 4.2.6

See Notes

handbook-rule
If a common platform firm, (other than a credit institution or AIFM investment firm) or the UK branch of a non-EEA bank, is:
(1) a natural person; or
(2) a legal person managed by a single natural person;
it must have alternative arrangements in place which ensure sound and prudent management of the firm.
[Note: article 9(4) second paragraph of MiFID]

SYSC 4.3

Responsibility of senior personnel

SYSC 4.3.1

See Notes

handbook-rule
A firm (with the exception of a sole trader who does not employ any person who is required to be approved under section 59 of the Act (Approval for particular arrangements)), when allocating functions internally, must ensure that senior personnel and, where appropriate, the supervisory function, are responsible for ensuring that the firm complies with its obligations under the regulatory system. In particular, senior personnel and, where appropriate, the supervisory function must assess and periodically review the effectiveness of the policies, arrangements and procedures put in place to comply with the firm's obligations under the regulatory system and take appropriate measures to address any deficiencies.
[Note: article 9(1) of the MiFID implementing Directive and articles 9(1) and 9(3) of the UCITS implementing Directive]

SYSC 4.3.2

See Notes

handbook-rule
A common platform firm (with the exception of a sole trader who does not employ any person who is required to be approved under section 59 of the Act (Approval for particular arrangements)) and a management company, must ensure that:
(1) its senior personnel receive on a frequent basis, and at least annually, written reports on the matters covered by SYSC 6.1.2 R to SYSC 6.1.5 R, SYSC 6.2.1 R and SYSC 7.1.2 R, SYSC 7.1.3 R and SYSC 7.1.5 R to SYSC 7.1.7 R, indicating in particular whether the appropriate remedial measures have been taken in the event of any deficiencies; and
(2) the supervisory function, if any, receives on a regular basis written reports on the same matters.
[Note: article 9(2) and article 9(3) of the MiFID implementing Directive and articles 9(4) and 9(6) of the UCITS implementing Directive]

SYSC 4.3.2A

See Notes

handbook-guidance
Other firms should take account of the written reports rule (SYSC 4.3.2 R) as if it were guidance (and as if "should" appeared in that rule instead of "must") as explained in SYSC 1 Annex 1.3.3 G.

SYSC 4.3.3

See Notes

handbook-guidance
The supervisory function does not include a general meeting of the shareholders of a firm , or equivalent bodies, but could involve, for example, a separate supervisory board within a two-tier board structure or the establishment of a non-executive committee of a single-tier board structure.

SYSC 4.3A

CRR firms

Management body

SYSC 4.3A.1

See Notes

handbook-rule
A CRR firm must ensure that the management body defines, oversees and is accountable for the implementation of governance arrangements that ensure effective and prudent management of the firm, including the segregation of duties in the organisation and the prevention of conflicts of interest. The firm must ensure that the management body:
(1) has overall responsibility for the firm;
(2) approves and oversees implementation of the firm's strategic objectives, risk strategy and internal governance;
(3) ensures the integrity of the firm's accounting and financial reporting systems, including financial and operational controls and compliance with the regulatory system.
(4) oversees the process of disclosure and communications;
(5) has responsibility for providing effective oversight of senior management.
(6) monitors and periodically assesses the effectiveness of the firm's governance arrangements and takes appropriate steps to address any deficiencies.

[Note: article 88(1) of CRD]

SYSC 4.3A.2

See Notes

handbook-rule
A CRR firm must ensure that the chairman of the firm's management body does not exercise simultaneously the chief executive function within the same firm, unless justified by the firm and authorised by the appropriate regulator.

[Note: article 88(1)(e) of CRD]

SYSC 4.3A.3

See Notes

handbook-rule
A CRR firm must ensure that the members of the management body of the firm:
(1) are of sufficiently good repute;
(2) possess sufficient knowledge, skills and experience to perform their duties;
(3) possess adequate collective knowledge, skills and experience to understand the firm's activities, including the main risks;
(4) reflect an adequately broad range of experiences;
(5) commit sufficient time to perform their functions in the firm; and
(6) act with honesty, integrity and independence of mind to effectively assess and challenge the decisions of senior management where necessary and to effectively oversee and monitor management decision-making.


[Note: article 91(1)-(2) and (7)-(8) of the CRD]

SYSC 4.3A.4

See Notes

handbook-rule
A CRR firm must devote adequate human and financial resources to the induction and training of members of the management body.

[Note: article 91(3) of the CRD]

SYSC 4.3A.5

See Notes

handbook-rule
A CRR firm must ensure that the members of the management body of the firm do not hold more directorships than is appropriate taking into account individual circumstances and the nature, scale and complexity of the firm's activities.

[Note: article 91(3) of the CRD]

SYSC 4.3A.6

See Notes

handbook-rule
(1) A CRR firm that is significant must ensure that the members of the management body of the firm do not hold more than one of the following combinations of directorship in any organisation at the same time:
(a) one executive directorship with two non-executive directorships; and
(b) four non-executive directorships.
(2) Paragraph (1) does not apply to members of the management body that represent the United Kingdom.


[Note: article 91(3) of the CRD]

SYSC 4.3A.6A

See Notes

handbook-guidance
In SYSC 4.3A.6 R a 'CRR firm that is significant' means a deposit-taker or designated investment firm whose size, interconnectedness, complexity and business type gives it the capacity to cause some disruption to the UK financial system (and through that to economic activity more widely) by failing or by carrying on its business in an unsafe manner.

SYSC 4.3A.6B

See Notes

handbook-guidance
The limits on directorships set out in SYSC 4.3A.6 R also apply to members of the management body of the UK consolidation group or non-EEA sub group in accordance with SYSC 12.1.13 R. Individuals in any of the entities belonging to the UK consolidation group or non-EEA sub group are capable of forming part of this management body. For example, members of the management body of a non-CRR firm that is a parent financial holding company in a Member State and is a member of a UK consolidation group could be caught by the limits in SYSC 4.3A.6 R (SYSC 12.1.14 R). In particular, a person who requires approval under SUP 10B.6.2 R or SUP 10B.6.4 R because of the influence they exercise over the CRR firm is a member of the management body of the UK consolidation group or non-EEA sub group and therefore subject to the limit on directorships in SYSC 4.3A.6 R.



[Note: article 91(3) and article 109(2) of the CRD]

SYSC 4.3A.7

See Notes

handbook-rule
For the purposes of SYSC 4.3A.5 R and SYSC 4.3A.6 R:
(1) directorships in organisations which do not pursue predominantly commercial objectives shall not count; and
(2) the following shall count as a single directorship:
(a) executive or non-executive directorships held within the same group; or
(b) executive or non-executive directorships held within:
(i) firms that are members of the same institutional protection scheme provided that the conditions set out in Article 113(7) of the CRR are fulfilled; or
(ii) undertakings (including non-financial entities) in which the firm holds a qualifying holding.


[Note: article 91(4) and (5) of the CRD]

Nomination Committee

SYSC 4.3A.8

See Notes

handbook-rule
A CRR firm that is significant must:
(1) establish a nomination committee composed of members of the management body who do not perform any executive function in the firm;
(2) ensure that the nomination committee is able to use any forms of resources the nomination committee deems appropriate, including external advice; and
(3) ensure that the nomination committee receives appropriate funding.


[Note: article 88(2) of the CRD]

SYSC 4.3A.8A

See Notes

handbook-guidance
In SYSC 4.3A.8 R a 'CRR firm that is significant' means a deposit-taker or designated investment firm whose size, interconnectedness, complexity and business type gives it the capacity to cause some disruption to the UK financial system (and through that to economic activity more widely) by failing or by carrying on its business in an unsafe manner.

SYSC 4.3A.9

See Notes

handbook-rule
A CRR firm that has a nomination committee must ensure that the nomination committee:
(1) engage a broad set of qualities and competences when recruiting members to the management body and for that purpose puts in place a policy promoting diversity on the management body;
(2) identifies and recommends for approval, by the management body or by general meeting, candidates to fill management body vacancies, having evaluated the balance of knowledge, skills, diversity and experience of the management body;
(3) prepares a description of the roles and capabilities for a particular appointment, and assesses the time commitment required;
(4) decides on a target for the representation of the underrepresented gender in the management body and prepares a policy on how to increase the number of the underrepresented gender in the management body in order to meet that target;
(5) periodically, and at least annually, assesses the structure, size, composition and performance of the management body and makes recommendations to the management body with regard to any changes;
(6) periodically, and at least annually, assesses the knowledge, skills and experience of individual members of the management body and of the management body collectively, and reports this to the management body;
(7) periodically reviews the policy of the management body for selection and appointment of senior management and makes recommendations to the management body; and
(8) in performing its duties, and to the extent possible, on an ongoing basis, takes account of the need to ensure that the management body's decision making is not dominated by any one individual or small group of individuals in a manner that is detrimental to the interest of the firm as a whole;


[Note: article 88(2) and article 91(10) of the CRD]

SYSC 4.3A.10

See Notes

handbook-rule
A CRR firm that does not have a nomination committee must engage a broad set of qualities and competences when recruiting members to the management body. For that purpose a CRR firm that does not have a nomination committee must put in place a policy promoting diversity on the management body.

[Note: article 91(10) of the CRD]

Website

SYSC 4.3A.11

See Notes

handbook-rule
A CRR firm that maintains a website must explain on the website how it complies with the requirements of SYSC 4.3A.1 R to SYSC 4.3A.3 R and SYSC 4.3A.4 R to SYSC 4.3A.11 R.

[Note: article 96 of the CRD]

SYSC 4.4

Apportionment of responsibilities

Application

SYSC 4.4.1

See Notes

handbook-rule
This section applies to:
(1) an authorised professional firm in respect of its non-mainstream regulated activities unless the firm is also conducting other regulated activities and has appointed approved persons to perform the governing functions with equivalent responsibilities for the firm'snon-mainstream regulated activities and other regulated activities;
(2) activities carried on by a firm whose principal purpose is to carry on activities other than regulated activities and which is:
(b) a service company; or
(d) a wholly-owned subsidiary of:
(i) a local authority; or
(ii) a registered social landlord; or
(3) [deleted]
(4) [deleted]
(5) [deleted]
(a) [deleted]
(b) [deleted]
(6) [deleted]
(7) an incoming Treaty firm, an incoming EEA firm or a UCITS qualifier (but only SYSC 4.4.5R (2) applies for these firms); and
(8) a sole trader, but only if he employs any person who is required to be approved under section 59 of the Act (Approval for particular arrangements).

SYSC 4.4.2

See Notes

handbook-guidance
This section does not apply to a common platform firm.

Maintaining a clear and appropriate apportionment

SYSC 4.4.3

See Notes

handbook-rule
A firm must take reasonable care to maintain a clear and appropriate apportionment of significant responsibilities among its directors and senior managers in such a way that:
(1) it is clear who has which of those responsibilities; and
(2) the business and affairs of the firm can be adequately monitored and controlled by the directors, relevant senior managers and governing body of the firm.

Allocating functions of apportionment and oversight

SYSC 4.4.5

See Notes

handbook-rule
A firm must appropriately allocate to one or more individuals, in accordance with the following table, the functions of:
(1) dealing with the apportionment of responsibilities under SYSC 4.4.3 R; and
(2) overseeing the establishment and maintenance of systems and controls under SYSC 4.1.1 R.

SYSC 4.4.6

See Notes

handbook-guidance
Frequently asked questions about allocation of functions in SYSC 4.4.5 R

SYSC 5

Employees, agents and other relevant persons

SYSC 5.1

Skills, knowledge and expertise



[Note: ESMA has also issued guidelines under article 16(3) of the ESMA Regulation covering certain aspects of the MiFID compliance function requirements. See http://www.esma.europa.eu/content/Guidelines-certain-aspects-MiFID-compliance-function-requirements.]

SYSC 5.1.1

See Notes

handbook-rule
A firm must employ personnel with the skills, knowledge and expertise necessary for the discharge of the responsibilities allocated to them.
[Note: article 5(1)(d) of the MiFID implementing Directive, articles 12(1)(a) and 14(1)(c) of the UCITS Directive and article 5(1) of the UCITS implementing Directive]

SYSC 5.1.2

See Notes

handbook-guidance
A firm's systems and controls should enable it to satisfy itself of the suitability of anyone who acts for it. This includes assessing an individual's honesty and competence. This assessment should normally be made at the point of recruitment. An individual's honesty need not normally be revisited unless something happens to make a fresh look appropriate.

SYSC 5.1.3

See Notes

handbook-guidance
Any assessment of an individual's suitability should take into account the level of responsibility that the individual will assume within the firm. The nature of this assessment will generally differ depending upon whether it takes place at the start of the individual's recruitment, at the end of the probationary period (if there is one) or subsequently.

SYSC 5.1.4A

See Notes

handbook-guidance
Firms which are carrying on activities that are not subject to TC may nevertheless wish to take TC into account in complying with the competence requirements in SYSC.

SYSC 5.1.5

See Notes

handbook-guidance
The requirements on firms with respect to approved persons are in Part V of the Act (Performance of regulated activities) and SUP 10A and SUP 10B.

SYSC 5.1.5A

See Notes

handbook-guidance
If a firm requires employees who are not subject to a qualification requirement in TC to pass a relevant examination from the list of recommended examinations maintained by the Financial Skills Partnership, the appropriate regulator will take that into account when assessing whether the firm has ensured that the employee satisfies the knowledge component of the competent employees rule.

Segregation of functions

SYSC 5.1.6

See Notes

handbook-rule
A common platform firm and a management company must ensure that the performance of multiple functions by its relevant persons does not and is not likely to prevent those persons from discharging any particular functions soundly, honestly and professionally.
[Note: article 5(1)(g) of the MiFID implementing Directive and article 5(3) of the UCITS implementing Directive]

SYSC 5.1.7

See Notes

handbook-rule
The senior personnel of a common platform firm must define arrangements concerning the segregation of duties within the firm and the prevention of conflicts of interest.
[Note:article 88 of the CRD and annex V paragraph 1 of the Banking Consolidation Directive]

SYSC 5.1.7A

See Notes

handbook-guidance
Other firms should take account of the segregation of functions rules (SYSC 5.1.6 R and SYSC 5.1.7 R) as if they were guidance (and as if should appeared in those rules instead of must) as explained in SYSC 1 Annex 1.3.3 G.

SYSC 5.1.8

See Notes

handbook-guidance
The effective segregation of duties is an important element in the internal controls of a firm in the prudential context. In particular, it helps to ensure that no one individual is completely free to commit a firm's assets or incur liabilities on its behalf. Segregation can also help to ensure that a firm'sgoverning body receives objective and accurate information on financial performance, the risks faced by the firm and the adequacy of its systems.

SYSC 5.1.9

See Notes

handbook-guidance
A firm should normally ensure that no single individual has unrestricted authority to do all of the following:
(1) initiate a transaction;
(2) bind the firm;
(3) make payments; and
(4) account for it.

SYSC 5.1.10

See Notes

handbook-guidance
Where a firm is unable to ensure the complete segregation of duties (for example, because it has a limited number of staff), it should ensure that there are adequate compensating controls in place (for example, frequent review of an area by relevant senior managers).

SYSC 5.1.11

See Notes

handbook-guidance
Where a common platform firm outsources its internal audit function, it should take reasonable steps to ensure that every individual involved in the performance of this service is independent from the individuals who perform its external audit. This should not prevent services from being undertaken by a firm's external auditors provided that:
(1) the work is carried out under the supervision and management of the firm's own internal staff; and
(2) potential conflicts of interest between the provision of external audit services and the provision of internal audit are properly managed.

Awareness of procedures

SYSC 5.1.12

See Notes

handbook-rule
A common platform firm and a management company must ensure that its relevant persons are aware of the procedures which must be followed for the proper discharge of their responsibilities.
[Note: article 5(1)(b) of the MiFID implementing Directive and article 4(1)(b) of the UCITS implementing Directive]

SYSC 5.1.12A

See Notes

handbook-guidance
Other firms should take account of the rule concerning awareness of procedures (SYSC 5.1.12 R) as if it were guidance (and as if should appeared in that rule instead of must) as explained in SYSC 1 Annex 1.3.3 G.

General

SYSC 5.1.13

See Notes

handbook-rule
The systems, internal control mechanisms and arrangements established by a firm in accordance with this chapter must take into account the nature, scale and complexity of its business and the nature and range of financial services and activities undertaken in the course of that business.
[Note: article 5(1) final paragraph of the MiFID implementing Directiveand articles 4(1) final paragraph and 5(4) of the UCITS implementing Directive]

SYSC 5.1.14

See Notes

handbook-rule
A common platform firm and a management company must monitor and, on a regular basis, evaluate the adequacy and effectiveness of its systems, internal control mechanisms and arrangements established in accordance with this chapter, and take appropriate measures to address any deficiencies.
[Note: article 5(5) of the MiFID implementing Directive and articles 4(5) of the UCITS implementing Directive]

SYSC 5.1.15

See Notes

handbook-guidance
Other firms should take account of the rule requiring monitoring and evaluation of the adequacy and effectiveness of systems (SYSC 5.1.14 R) as if it were guidance (and as if should appeared in that rule instead of must) as explained in SYSC 1 Annex 1.3.3 G.

SYSC 6

Compliance, internal audit and financial crime

SYSC 6.1

Compliance



[Note: ESMA has also issued guidelines under article 16(3) of the ESMA Regulation covering certain aspects of the MiFID compliance function requirements. See http://www.esma.europa.eu/content/Guidelines-certain-aspects-MiFID-compliance-function-requirements.]

SYSC 6.1.1

See Notes

handbook-rule
A firm must establish, implement and maintain adequate policies and procedures sufficient to ensure compliance of the firm including its managers, employees and appointed representatives(or where applicable, tied agents) with its obligations under the regulatory system and for countering the risk that the firm might be used to further financial crime.
[Note: article 13(2) of MiFID and article 12(1)(a) of the UCITS Directive]

SYSC 6.1.2

See Notes

handbook-rule
A common platform firm and a management company must, taking intoaccount the nature, scale and complexity of its business, and the nature and range of financial services and activities undertaken in the course of that business, establish, implement and maintain adequate policies and procedures designed to detect any risk of failure by the firm to comply with its obligations under the regulatory system, as well as associated risks, and put in place adequate measures and procedures designed to minimise such risks and to enable the appropriate regulator to exercise its powers effectively under the regulatory system and to enable any other competent authority to exercise its powers effectively under MiFID or the UCITS Directive.
[Note: article 6(1) of the MiFID implementing Directive and article 10(1) of the UCITS implementing Directive]

SYSC 6.1.2A

See Notes

handbook-guidance
Other firms should take account of the adequate policies and procedures rule (SYSC 6.1.2 R) as if it were guidance (and as if should appeared in that rule instead of must) as explained in SYSC 1 Annex 1.3.3 G.

SYSC 6.1.3

See Notes

handbook-rule
A common platform firm and a management company must maintain a permanent and effective compliance function which operates independently and which has the following responsibilities:
(1) to monitor and, on a regular basis, to assess the adequacy and effectiveness of the measures and procedures put in place in accordance with SYSC 6.1.2 R, and the actions taken to address any deficiencies in the firm's compliance with its obligations; and
(2) to advise and assist the relevant persons responsible for carrying out regulated activities to comply with the firm's obligations under the regulatory system.

[Note: article 6(2) of the MiFID implementing Directive and article 10(2) of the UCITS implementing Directive]

SYSC 6.1.3A

See Notes

handbook-guidance
(1) Other firms should take account of the compliance function rule (SYSC 6.1.3 R) as if it were guidance (and as if should appeared in that rule instead of must) as explained in SYSC 1 Annex 1.3.3 G.
(2) Notwithstanding SYSC 6.1.3 R, as it applies under (1), depending on the nature, scale and complexity of its business, it may be appropriate for a firm to have a separate compliance function. Where a firm has a separate compliance function the firm should also take into account SYSC 6.1.3 R and SYSC 6.1.4 R as guidance.

SYSC 6.1.4

See Notes

handbook-rule
In order to enable the compliance function to discharge its responsibilities properly and independently, a common platform firm and a management company must ensure that the following conditions are satisfied:
(1) the compliance function must have the necessary authority, resources, expertise and access to all relevant information;
(2) a compliance officer must be appointed and must be responsible for the compliance function and for any reporting as to compliance required by SYSC 4.3.2 R;
(3) the relevant persons involved in the compliance functions must not be involved in the performance of services or activities they monitor;
(4) the method of determining the remuneration of the relevant persons involved in the compliance function must not compromise their objectivity and must not be likely to do so.

[Note: article 6(3) first paragraph of the MiFID implementing Directive and article 10(3) of the UCITS implementing Directive]

SYSC 6.1.4-A

See Notes

handbook-guidance

In setting the method of determining the remuneration of relevant persons involved in the compliance function:

(1) firms that SYSC 19A applies to will also need to comply with the Remuneration Code;
(2) BIPRU firms will also need to comply with the BIPRU Remuneration Code;
(3) firms that SYSC 19D applies to will also need to comply with the Dual-regulated firms Remuneration Code; and
(4) firms that the Remuneration part of the PRA Rulebook applies to will also need to comply with it.

SYSC 6.1.5

See Notes

handbook-rule
A common platform firm and a management company need not comply with SYSC 6.1.4 R (3) or SYSC 6.1.4 R (4) if it is able to demonstrate that in view of the nature, scale and complexity of its business, and the nature and range of financial services and activities, the requirements under those rules are not proportionate and that its compliance function continues to be effective.
[Note: article 6(3) second paragraph of the MiFID implementing Directive and article 10(3) second paragraph of the UCITS implementing Directive]

SYSC 6.1.6

See Notes

handbook-rule
Other firms should take account of the proportionality rule (SYSC 6.1.5 R) as if it were guidance (and as if should appeared in that rule instead of must) as explained in SYSC 1 Annex 1.3.3 G.

SYSC 6.1.7

See Notes

handbook-rule
(1) This rule applies to a common platform firm conducting investment services and activities from a branch in another EEA State.
(2) References to the regulatory system in SYSC 6.1.1R, SYSC 6.1.2 R and SYSC 6.1.3 R apply in respect of a firm'sbranch as if regulatory system includes a Host State's requirements under MiFID and the MiFID implementing Directive which are applicable to the investment services and activities conducted from the firm'sbranch.
[Note: article 13(2) of MiFID]

SYSC 6.2

Internal audit

SYSC 6.2.1

See Notes

handbook-rule
A common platform firm and a management company must, where appropriate and proportionate in view of the nature, scale and complexity of its business and the nature and range of its financial services and activities, undertaken in the course of that business, establish and maintain an internal audit function which is separate and independent from the other functions and activities of the firm and which has the following responsibilities:
(1) to establish, implement and maintain an audit plan to examine and evaluate the adequacy and effectiveness of the firm's systems, internal control mechanisms and arrangements;
(2) to issue recommendations based on the result of work carried out in accordance with (1);
(3) to verify compliance with those recommendations;
(4) to report in relation to internal audit matters in accordance with SYSC 4.3.2 R.

[Note: article 8 of the MiFID implementing Directive and article 11 of the UCITS implementing Directive]

SYSC 6.2.1A

See Notes

handbook-guidance
Other firms should take account of the internal audit rule (SYSC 6.2.1 R) as if it were guidance (and as if should appeared in that rule instead of must) as explained in SYSC 1 Annex 1.3.3 G.

SYSC 6.2.2

See Notes

handbook-guidance
The term 'internal audit function' in SYSC 6.2.1 R (and SYSC 4.1.11 G) refers to the generally understood concept of internal audit within a firm , that is, the function of assessing adherence to and the effectiveness of internal systems and controls, procedures and policies. The internal audit function is not a controlled function itself, but is part of the systems and controls function (CF28).

SYSC 7

Risk control

SYSC 7.1

Risk control



[Note: ESMA has also issued guidelines under article 16(3) of the ESMA Regulation covering certain aspects of the MiFID compliance function requirements. See http://www.esma.europa.eu/content/Guidelines-certain-aspects-MiFID-compliance-function-requirements.]

SYSC 7.1.1

See Notes

handbook-guidance
SYSC 4.1.1 R requires a firm to have effective processes to identify, manage, monitor and report the risks it is or might be exposed to.

SYSC 7.1.2

See Notes

handbook-rule
A common platform firm must establish, implement and maintain adequate risk management policies and procedures, including effective procedures for risk assessment, which identify the risks relating to the firm's activities, processes and systems, and where appropriate, set the level of risk tolerated by the firm.
[Note: article 7(1)(a) of the MiFID implementing Directive, article 13(5) second paragraph of MiFID]

SYSC 7.1.2A

See Notes

handbook-guidance
Other firms should take account of the risk management policies and procedures rule (SYSC 7.1.2 R) as if it were guidance (and as if should appeared in that rule instead of must) as explained in SYSC 1 Annex 1.3.3 G.

SYSC 7.1.3

See Notes

handbook-rule
A common platform firm must adopt effective arrangements, processes and mechanisms to manage the risk relating to the firm's activities, processes and systems, in light of that level of risk tolerance.
[Note: article 7(1)(b) of the MiFID implementing Directive]

SYSC 7.1.4

See Notes

handbook-rule
The management body of a common platform firm must approve and periodically review the strategies and policies for taking up, managing, monitoring and mitigating the risks the firm is or might be exposed to, including those posed by the macroeconomic environment in which it operates in relation to the status of the business cycle.
[Note: article 76(1) of CRD]

SYSC 7.1.4AA

See Notes

handbook-guidance

For a common platform firm included within the scope of chapter 15 of the Internal Capital Adequacy Assessment Part of the PRA Rulebook, the strategies, policies and procedures for identifying, taking up, managing, monitoring and mitigating the risks to which the firm is or might be exposed include conducting reverse stress testing in accordance with chapter 15 of the Internal Capital Adequacy Assessment Part of the PRA Rulebook. A common platform firm which falls outside the scope of chapter 15 of the Internal Capital Adequacy Assessment Part of the PRA Rulebook should consider conducting reverse stress tests on its business plan as well. This would further senior personnel’s understanding of the firm's vulnerabilities and would help them design measures to prevent or mitigate the risk of business failure.

SYSC 7.1.4B

See Notes

handbook-guidance
Other firms should take account of the risk management rules (SYSC 7.1.3 R and SYSC 7.1.4 R) as if they were guidance (and as if "should" appeared in those rules instead of "must") as explained in SYSC 1 Annex 1.3.3 G.

SYSC 7.1.5

See Notes

handbook-rule
A common platform firm must monitor the following:
(1) the adequacy and effectiveness of the firm's risk management policies and procedures;
(2) the level of compliance by the firm and its relevant persons with the arrangements, processes and mechanisms adopted in accordance with SYSC 7.1.3 R;
(3) the adequacy and effectiveness of measures taken to address any deficiencies in those policies, procedures, arrangements, processes and mechanisms, including failures by the relevant persons to comply with such arrangements or processes and mechanisms or follow such policies and procedures.
[Note: article 7(1)(c) of the MiFID implementing Directive]

SYSC 7.1.6

See Notes

handbook-rule
A common platform firm must, where appropriate and proportionate in view of the nature, scale and complexity of its business and the nature and range of the investment services and activities undertaken in the course of that business, establish and maintain a risk management function that operates independently and carries out the following tasks:
(1) implementation of the policies and procedures referred to in SYSC 7.1.2 R to SYSC 7.1.5 R; and
(2) provision of reports and advice to senior personnel in accordance with SYSC 4.3.2 R.
[Note: MiFID implementing Directive Article 7(2) first paragraph]

SYSC 7.1.7

See Notes

handbook-rule
Where a common platform firm is not required under SYSC 7.1.6 R to maintain a risk management function that functions independently, it must nevertheless be able to demonstrate that the policies and procedures which it has adopted in accordance with SYSC 7.1.2 R to SYSC 7.1.5 R satisfy the requirements of those rules and are consistently effective.
[Note: article 7(2) second paragraph of the MiFID implementing Directive]

SYSC 7.1.7A

See Notes

handbook-guidance
Other firms should take account of the risk management rules (SYSC 7.1.5 R to SYSC 7.1.7 R) as if they were guidance (and as if should appeared in those rules instead of must) as explained in SYSC 1 Annex 1.3.3 G.

SYSC 7.1.7B

See Notes

handbook-guidance
In setting the method of determining the remuneration of employees involved in the risk management function:
(1) firms that SYSC 19D applies to will also need to comply with the Dual-regulated firms Remuneration Code; and
(2) firms that the Remuneration part of the PRA Rulebook applies to will also need to comply with it.

SYSC 7.1.7C

See Notes

handbook-guidance
Firms should also consider the additional guidance on risk-centric governance arrangements for effective risk management contained in SYSC 21.

SYSC 7.1.8

See Notes

handbook-guidance
(1) [deleted]
(2) The term 'risk management function' in SYSC 7.1.6 R and SYSC 7.1.7 R refers to the generally understood concept of risk assessment within a firm , that is, the function of setting and controlling risk exposure. The risk management function is not a controlled function itself, but is part of the systems and controls function (CF28).

Additional rules for CRR firms

SYSC 7.1.17

See Notes

handbook-rule
(1) The management body of a CRR firm has overall responsibility for risk management. It must devote sufficient time to the consideration of risk issues.
(2) The management body of a CRR firm must be actively involved in and ensure that adequate resources are allocated to the management of all material risks addressed in the rules implementing the CRD and in the EU CRR as well as in the valuation of assets, the use of external ratings and internal models related to those risks.
(3) A CRR firm must establish reporting lines to the management body that cover all material risks and risk management policies and changes thereof.


[Note: article 76(2) of CRD]

SYSC 7.1.18

See Notes

handbook-rule
(1) A CRR firm that is significant must establish a risk committee composed of members of the management body who do not perform any executive function in the firm. Members of the risk committee must have appropriate knowledge, skills and expertise to fully understand and monitor the risk strategy and the risk appetite of the firm.
(2) The risk committee must advise the management body on the institution's overall current and future risk appetite and assist the management body in overseeing the implementation of that strategy by senior management.
(3) The risk committee must review whether prices of liabilities and assets offered to clients take fully into account the firm's business model and risk strategy. Where prices do not properly reflect risks in accordance with the business model and risk strategy, the risk committee must present a remedy plan to the management body.


[Note: article 76(3) of CRD]

SYSC 7.1.18A

See Notes

handbook-guidance
In SYSC 7.1.18 R a 'CRR firm that is significant' means a deposit-taker or designated investment firm whose size, interconnectedness, complexity and business type gives it the capacity to cause some disruption to the UK financial system (and through that to economic activity more widely) by failing or by carrying on its business in an unsafe manner.

SYSC 7.1.19

See Notes

handbook-rule
(1) A CRR firm must ensure that the management body in its supervisory function and, where a risk committee has been established, the risk committee have adequate access to information on the risk profile of the firm and, if necessary and appropriate, to the risk management function and to external expert advice.
(2) The management body in its supervisory function and, where one has been established, the risk committee must determine the nature, the amount, the format, and the frequency of the information on risk which it is to receive.


[Note: article 76(4) of CRD]

SYSC 7.1.20

See Notes

handbook-rule
In order to assist in the establishment of sound remuneration policies and practices, the risk committee must, without prejudice to the tasks of the remuneration committee, examine whether incentives provided by the remuneration system take into consideration risk, capital, liquidity and the likelihood and timing of earnings.

[Note: article 76(4) of CRD]

SYSC 7.1.21

See Notes

handbook-rule
(1) A CRR firm's risk management function (SYSC 7.1.6 R) must be independent from the operational functions and have sufficient authority, stature, resources and access to the management body.
(2) The risk management function must ensure that all material risks are identified, measured and properly reported. It must be actively involved in elaborating the firm's risk strategy and in all material risk management decisions and it must be able to deliver a complete view of the whole range of risks of the firm.
(3) A CRR firm must ensure that the risk management function is able to report directly to the management body in its supervisory function, independent from senior management and that it can raise concerns and warn the management body, where appropriate, where specific risk developments affect or may affect the firm, without prejudice to the responsibilities of the management body in its supervisory and/or managerial functions pursuant to the CRD and the CRR.


[Note: article 76(5) of CRD]

SYSC 7.1.22

See Notes

handbook-rule
The head of the risk management function must be an independent senior manager with distinct responsibility for the risk management function. Where the nature, scale and complexity of the activities of the CRR firm do not justify a specially appointed person, another senior person within the firm may fulfil that function, provided there is no conflict of interest. The head of the risk management function must not be removed without prior approval of the management body and must be able to have direct access to the management body where necessary.

[Note: article 76(5) of CRD]

SYSC 8

Outsourcing

SYSC 8.1

General outsourcing requirements



[Note: ESMA has also issued guidelines under article 16(3) of the ESMA Regulation covering certain aspects of the MiFID compliance function requirements. See http://www.esma.europa.eu/content/Guidelines-certain-aspects-MiFID-compliance-function-requirements.]

SYSC 8.1.1

See Notes

handbook-rule
A common platform firm must:
(1) when relying on a third party for the performance of operational functions which are critical for the performance of regulated activities, listed activities or ancillary services (in this chapter "relevant services and activities") on a continuous and satisfactory basis, ensure that it takes reasonable steps to avoid undue additional operational risk;
(2) not undertake the outsourcing of important operational functions in such a way as to impair materially:
(a) the quality of its internal control; and
(b) the ability of the appropriate regulator to monitor the firm's compliance with all obligations under the regulatory system and, if different, of a competent authority to monitor the firm's compliance with all obligations under MiFID.

[Note: article 13(5) first paragraph of MiFID]

SYSC 8.1.1A

See Notes

handbook-guidance
Other firms should take account of the outsourcing rule (SYSC 8.1.1 R) as if it were guidance (and as if should appeared in that rule instead of must) as explained in SYSC 1 Annex 1.3.3 G.

SYSC 8.1.2

See Notes

handbook-guidance
The application of SYSC 8.1 to relevant services and activities (see SYSC 8.1.1 R (1)) is limited by SYSC 1 Annex 1 (Part 2) (Application of the common platform requirements).

SYSC 8.1.3

See Notes

handbook-guidance
SYSC 4.1.1 R requires a firm to have effective processes to identify, manage, monitor and report risks and internal control mechanisms. Except in relation to those functions described in SYSC 8.1.5 R, where a firm relies on a third party for the performance of operational functions which are not critical or important for the performance of relevant services and activities (see SYSC 8.1.1 R (1)) on a continuous and satisfactory basis, it should take into account, in a manner that is proportionate given the nature, scale and complexity of the outsourcing, the rules in this section in complying with that requirement.

SYSC 8.1.4

See Notes

handbook-rule
For the purposes of this chapter an operational function is regarded as critical or important if a defect or failure in its performance would materially impair the continuing compliance of a common platform firm with the conditions and obligations of its authorisation or its other obligations under the regulatory system, or its financial performance, or the soundness or the continuity of its relevant services and activities.
[Note: article 13(1) of the MiFID implementing Directive]

SYSC 8.1.5

See Notes

handbook-rule
Without prejudice to the status of any other function, the following functions will not be considered as critical or important for the purposes of this chapter:
(1) the provision to the firm of advisory services, and other services which do not form part of the relevant services and activities of the firm, including the provision of legal advice to the firm, the training of personnel of the firm, billing services and the security of the firm's premises and personnel;
(2) the purchase of standardised services, including market information services and the provision of price feeds;
[Note: article 13(2) of the MiFID implementing Directive]
(3) the recording and retention of relevant telephone conversations or electronic communications subject to COBS 11.8.

SYSC 8.1.5A

See Notes

handbook-guidance
Other firms should take account of the critical functions rules (SYSC 8.1.4 R and SYSC 8.1.5 R) as if they were guidance (and as if should appeared in those rules instead of must) as explained in SYSC 1 Annex 1.3.3 G.

SYSC 8.1.6

See Notes

handbook-rule
If a firm outsources critical or important operational functions or any relevant services and activities, it remains fully responsible for discharging all of its obligations under the regulatory system and must comply, in particular, with the following conditions:
(1) the outsourcing must not result in the delegation by senior personnel of their responsibility;
(2) the relationship and obligations of the firm towards its clients under the regulatory system must not be altered;
(3) the conditions with which the firm must comply in order to be authorised, and to remain so, must not be undermined;
(4) none of the other conditions subject to which the firm'sauthorisation was granted must be removed or modified.
[Note: article 14(1) of the MiFID implementing Directive]

SYSC 8.1.7

See Notes

handbook-rule
A common platform firm must exercise due skill and care and diligence when entering into, managing or terminating any arrangement for the outsourcing to a service provider of critical or important operational functions or of any relevant services and activities.
[Note: article 14(2) first paragraph of the MiFID implementing Directive]

SYSC 8.1.8

See Notes

handbook-rule
A common platform firm must in particular take the necessary steps to ensure that the following conditions are satisfied:
(1) the service provider must have the ability, capacity, and any authorisation required by law to perform the outsourced functions, services or activities reliably and professionally;
(2) the service provider must carry out the outsourced services effectively, and to this end the firm must establish methods for assessing the standard of performance of the service provider;
(3) the service provider must properly supervise the carrying out of the outsourced functions, and adequately manage the risks associated with the outsourcing;
(4) appropriate action must be taken if it appears that the service provider may not be carrying out the functions effectively and in compliance with applicable laws and regulatory requirements;
(5) the firm must retain the necessary expertise to supervise the outsourced functions effectively and to manage the risks associated with the outsourcing,and must supervise those functions and manage those risks;
(6) the service provider must disclose to the firm any development that may have a material impact on its ability to carry out the outsourced functions effectively and in compliance with applicable laws and regulatory requirements;
(7) the firm must be able to terminate the arrangement for the outsourcing where necessary without detriment to the continuity and quality of its provision of services to clients;
(8) the service provider must co-operate with the appropriate regulator and any other relevant competent authority in connection with the outsourced activities;
(9) the firm, its auditors, the appropriate regulator and any other relevant competent authority must have effective access to data related to the outsourced activities, as well as to the business premises of the service provider; and the appropriate regulator and any other relevant competent authority must be able to exercise those rights of access;
(10) the service provider must protect any confidential information relating to the firm and its clients;
(11) the firm and the service provider must establish, implement and maintain a contingency plan for disaster recovery and periodic testing of backup facilities where that is necessary having regard to the function, service or activity that has been outsourced.
[Note: article 14(2) second paragraph of the MiFID implementing Directive]

SYSC 8.1.9

See Notes

handbook-rule
A common platform firm must ensure that the respective rights and obligations of the firm and of the service provider are clearly allocated and set out in a written agreement.
[Note: article 14(3) of the MiFID implementing Directive]

SYSC 8.1.10

See Notes

handbook-rule
If a common platform firm and the service provider are members of the same group, the firm may, for the purpose of complying with SYSC 8.1.7 R to SYSC 8.1.11 R and SYSC 8.2 and SYSC 8.3, take into account the extent to which the common platform firmcontrols the service provider or has the ability to influence its actions.
[Note: article 14(4) of the MiFID implementing Directive]

SYSC 8.1.11

See Notes

handbook-rule
A common platform firm must make available on request to the appropriate regulator and any other relevant competent authority all information necessary to enable the appropriate regulator and any other relevant competent authority to supervise the compliance of the performance of the outsourced activities with the requirements of the regulatory system.
[Note: article 14(5) of the MiFID implementing Directive]

SYSC 8.1.11A

See Notes

handbook-guidance
Other firms should take account of the outsourcing of important operational functions rules (SYSC 8.1.7 R to SYSC 8.1.11 R) as if they were guidance (and as if should appeared in those rules instead of must) as explained in SYSC 1 Annex 1.3.3 G.

SYSC 8.1.12

See Notes

handbook-guidance
As SUP 15.3.8 G explains, a firm should notify the appropriate regulator when it intends to rely on a third party for the performance of operational functions which are critical or important for the performance of relevant services and activities on a continuous and satisfactory basis.
[Note: recital 20 of theMiFID implementing Directive]

SYSC 9

Record-keeping

SYSC 9.1

General rules on record-keeping

SYSC 9.1.1

See Notes

handbook-rule
A firm must arrange for orderly records to be kept of its business and internal organisation, including all services and transactions undertaken by it, which must be sufficient to enable the appropriate regulator or any other relevant competent authority under MiFID or the UCITS Directive to monitor the firm's compliance with the requirements under the regulatory system, and in particular to ascertain that the firm has complied with all obligations with respect to clients.
[Note: article 13(6) of MiFID, article 5(1)(f) of the MiFID implementing Directive, article 12(1)(a) of the UCITS Directive and article 4(1)(e) of the UCITS implementing Directive]

SYSC 9.1.2

See Notes

handbook-rule
A common platform firm must retain all records kept by it under this chapter in relation to its MiFID business for a period of at least five years.
[Note: article 51 (1) of the MiFID implementing Directive]

SYSC 9.1.3

See Notes

handbook-rule
In relation to its MiFID business, a common platform firm must retain records in a medium that allows the storage of information in a way accessible for future reference by the appropriate regulator or any other relevant competent authority under MiFID, and so that the following conditions are met:
(1) the appropriate regulator or any other relevant competent authority under MiFID must be able to access them readily and to reconstitute each key stage of the processing of each transaction;
(2) it must be possible for any corrections or other amendments, and the contents of the records prior to such corrections and amendments, to be easily ascertained;
(3) it must not be possible for the records otherwise to be manipulated or altered.
[Note: article 51(2) of the MiFID implementing Directive]

Guidance on record-keeping

SYSC 9.1.4

See Notes

handbook-guidance
Subject to any other record-keeping rule in the Handbook, the records required under the Handbook should be capable of being reproduced in the English language on paper. Where a firm is required to retain a record of a communication that was not made in the English language, it may retain it in that language. However, it should be able to provide a translation on request. If a firm's records relate to business carried on from an establishment in a country or territory outside the United Kingdom, an official language of that country or territory may be used instead of the English language.

SYSC 9.1.5

See Notes

handbook-guidance
In relation to the retention of records for non-MiFID business, a firm should have appropriate systems and controls in place with respect to the adequacy of, access to, and the security of its records so that the firm may fulfil its regulatory and statutory obligations. With respect to retention periods, the general principle is that records should be retained for as long as is relevant for the purposes for which they are made.

SYSC 9.1.6

See Notes

handbook-guidance
Schedule 1 to each module of the Handbook sets out a list summarising the record-keeping requirements of that module.
[Note: article 51(3) of MiFID implementing Directive]

SYSC 9.1.7

See Notes

handbook-guidance
The Committee of European Securities Regulators (CESR) has issued recommendations on the list of minimum records under Article 51(3) of the MiFID implementing Directive.

SYSC 12

Group risk systems and controls requirements

SYSC 12.1

Application

SYSC 12.1.1

See Notes

handbook-rule
Subject to SYSC 12.1.2 R to SYSC 12.1.4 R, this section applies to each of the following which is a member of a group:
(1) a firm that falls into any one or more of the following categories:
(b) [deleted]
(c) an insurer;
(d) a BIPRU firm;
(f) a firm subject to the rules in IPRU(INV) Chapter 14.
(2) a UCITS firm, but only if its group contains a firm falling into (1); and
(3) the Society.

SYSC 12.1.2

See Notes

handbook-rule
Except as set out in SYSC 12.1.4 R, this section applies with respect to different types of group as follows:
(1) SYSC 12.1.8 R and SYSC 12.1.10 R apply with respect to all groups, including UK-regulated EEAfinancial conglomerates, other financial conglomerates and groups dealt with in SYSC 12.1.13 R to SYSC 12.1.16 R;
(2) the additional requirements set out in SYSC 12.1.11 R and SYSC 12.1.12 R only apply with respect to UK-regulated EEAfinancial conglomerates; and
(3) the additional requirements set out in SYSC 12.1.13 R to SYSC 12.1.16 R only apply with respect to groups of the kind dealt with by whichever of those rules apply.

SYSC 12.1.3

See Notes

handbook-rule
This section does not apply to:
(3) a UCITS qualifier; or
(4) an ICVC; or
(5) an incoming ECA provider acting as such.

SYSC 12.1.4

See Notes

handbook-rule
(1) This rule applies in respect of the following rules:
(b) SYSC 12.1.10R (1), so far as it relates to SYSC 12.1.8R (2);
(2) The rules referred to in (1):
(a) only apply with respect to a financial conglomerate if it is a UK-regulated EEA financial conglomerate;
(b) (so far as they apply with respect to a group that is not a financial conglomerate) do not apply with respect to a group for which a competent authority in another EEA state is lead regulator;
(c) (so far as they apply with respect to a financial conglomerate) do not apply to a firm with respect to a financial conglomerate of which it is a member if the interest of the financial conglomerate in that firm is no more than a participation;
(d) (so far as they apply with respect to other groups) do not apply to a firm with respect to a group of which it is a member if the only relationship of the kind set out in paragraph (3) of the definition of group between it and the other members of the group is nothing more than a participation; and
(e) do not apply with respect to a third-country group.

SYSC 12.1.5

See Notes

handbook-guidance
For the purpose of this section, a group is defined in the Glossary, and includes the whole of a firm's group, including financial and non-financial undertakings. It also covers undertakings with other links to group members if their omission from the scope of group risk systems and controls would be misleading. The scope of the group systems and controls requirements may therefore differ from the scope of the quantitative requirements for groups.

Purpose

SYSC 12.1.6

See Notes

handbook-guidance
The purpose of this chapter is to set out how the systems and control requirements imposed by SYSC (Senior Management Arrangements, Systems and Controls) apply where a firm is part of a group. If a firm is a member of a group, it should be able to assess the potential impact of risks arising from other parts of its group as well as from its own activities.

SYSC 12.1.7

See Notes

handbook-guidance
This section implements Articles 73(3) (Supervision on a consolidated basis of credit institutions) and 138 (Intra-group transactions with mixed activity holding companies) of the Banking Consolidation Directive, Article 9 of the Financial Groups Directive (Internal control mechanisms and risk management processes) and Article 8 of the Insurance Groups Directive (Intra-group transactions).

General rules

SYSC 12.1.8

See Notes

handbook-rule
A firm must:
(1) have adequate, sound and appropriate risk management processes and internal control mechanisms for the purpose of assessing and managing its own exposure to group risk, including sound administrative and accounting procedures; and
(2) ensure that its group has adequate, sound and appropriate risk management processes and internal control mechanisms at the level of the group, including sound administrative and accounting procedures.

SYSC 12.1.9

See Notes

handbook-guidance
For the purposes of SYSC 12.1.8 R, the question of whether the risk management processes and internal control mechanisms are adequate, sound and appropriate should be judged in the light of the nature, scale and complexity of the group's business and of the risks that the group bears. Riskmanagement processes must include the stress testing and scenario analysis required by GENPRU 1.2.42 R and GENPRU 1.2.49R (1)(b).

SYSC 12.1.10

See Notes

handbook-rule
The internal control mechanisms referred to in SYSC 12.1.8 R must include:
(1) mechanisms that are adequate for the purpose of producing any data and information which would be relevant for the purpose of monitoring compliance with any prudential requirements (including any reporting requirements and any requirements relating to capital adequacy, solvency, systems and controls and large exposures):
(a) to which the firm is subject with respect to its membership of a group; or
(b) that apply to or with respect to that group or part of it; and
(2) mechanisms that are adequate to monitor funding within the group.

Financial conglomerates

SYSC 12.1.11

See Notes

handbook-rule
Where this section applies with respect to a financial conglomerate, the risk management processes referred to in SYSC 12.1.8R (2) must include:
(1) sound governance and management processes, which must include the approval and periodic review by the appropriate managing bodies within the financial conglomerate of the strategies and policies of the financial conglomerate in respect of all the risks assumed by the financial conglomerate, such review and approval being carried out at the level of the financial conglomerate;
(2) adequate capital adequacy policies at the level of the financial conglomerate, one of the purposes of which must be to anticipate the impact of the business strategy of the financial conglomerate on its risk profile and on the capital adequacy requirements to which it and its members are subject;
(3) adequate procedures for the purpose of ensuring that the risk monitoring systems of the financial conglomerate and its members are well integrated into their organisation;
(4) adequate procedures for the purpose of ensuring that the systems and controls of the members of the financial conglomerate are consistent and that the risks can be measured, monitored and controlled at the level of the financial conglomerate; and
(5) arrangements in place to contribute to and develop, if required, adequate recovery and resolution arrangements and plans; a firm must update these arrangements regularly.
[Note: article 9(2) of the Financial Groups Directive]

SYSC 12.1.12

See Notes

handbook-rule
Where this section applies with respect to a financial conglomerate, the internal control mechanisms referred to in SYSC 12.1.8R (2) must include:
(1) mechanisms that are adequate to identify and measure all material risks incurred by members of the financial conglomerate and appropriately relate capital in the financial conglomerate to risks; and
(2) sound reporting and accounting procedures for the purpose of identifying, measuring, monitoring and controlling intra-group transactions and risk concentrations.

CRR firms and non-CRR firms that are parent financial holding companies in a Member State

SYSC 12.1.13

See Notes

handbook-rule

If this rule applies under SYSC 12.1.14 R to a firm, the firm must:

(1) comply with SYSC 12.1.8R (2) in relation to any UK consolidation group or non-EEAsub-group of which it is a member, as well as in relation to its group; and
(2) ensure that the risk management processes and internal control mechanisms at the level of any consolidation group or non-EEAsub-group of which it is a member comply with the obligations set out in the following provisions on a consolidated (or sub-consolidated) basis:
(bA) SYSC 4.3A;
(d) SYSC 7;
(dA) the Remuneration Code or the Dual-regulated Firms Remuneration Code, whichever is applicable;
(f) [deleted];
(g) [deleted];
(h) [deleted];

[Note: article 109(2) of CRD]
(3) ensure that compliance with the obligations in (2) enables the consolidation group or the non-EEA sub-group to have arrangements, processes and mechanisms that are consistent and well integrated and that any data relevant to the purpose of supervision can be produced.

[Note: article 109(2) of CRD]

SYSC 12.1.13A

See Notes

handbook-rule

If this rule applies under SYSC 12.1.14R to a firm, the firm must:

(1) comply with SYSC 12.1.8R (2) in relation to any UK consolidation group or non-EEA sub-group of which it is a member, as well as in relation to its group; and

(2) ensure that the risk management processes and internal control mechanisms at the level of any consolidation group or non-EEA sub-group of which it is a member comply with the obligations set out in the following provisions on a consolidated (or sub-consolidated) basis:

(bA) SYSC 4.3A;
(d) SYSC 7;
(dA) the Remuneration Code;
(e) [deleted];
(f) [deleted];
(g) [deleted];
(h) [deleted];
[Note: article 109(2) of CRD]

(3) ensure that compliance with the obligations in (2) enables the consolidation group or non-EEA sub-group to have arrangements, processes and mechanisms that are consistent and well integrated and that any data relevant to the purpose of supervision can be produced.

[Note: article 109(2) of CRD]

SYSC 12.1.13B

See Notes

handbook-rule
When applying SYSC 12.1.13 A, CRR firms must read references to:
(1) SYSC 4.1.1 R and SYSC 4.1.2 R as references to General Organisation Requirements 2.1 and 2.2 of the PRA Rulebook;
(2) SYSC 4.1.7 R as a reference to General Organisation Requirement 2.6 of the PRA Rulebook;
(3) SYSC 4.3A as a reference to chapters 5 and 6 of the General Organisation Requirements Part of the PRA Rulebook;
(4) SYSC 5.1.7 R as a reference to Skills, Knowledge and Expertise 3.2 of the PRA Rulebook;
(5) SYSC 7 as a reference to Chapters 2 and 3 of the Risk Control Part of the PRA Rulebook;

SYSC 12.1.14

See Notes

handbook-rule
SYSC 12.1.13 R applies to a firm that is:
(1) [deleted]
(2) a CRRfirm; or

SYSC 12.1.15

See Notes

handbook-rule
In the case of a firm that:
(1) is a CRR firm; and
the risk management processes and internal control mechanisms referred to in SYSC 12.1.8 R must include sound reporting and accounting procedures and other mechanisms that are adequate to identify, measure, monitor and control transactions between the firm'sparent undertakingmixed-activity holding company and any of the mixed-activity holding company'ssubsidiary undertakings.

Insurance undertakings

SYSC 12.1.16

See Notes

handbook-rule
In the case of an insurer that has a mixed-activity insurance holding company as a parent undertaking, the risk management processes and internal control mechanisms referred to in SYSC 12.1.8 R must include sound reporting and accounting procedures and other mechanisms that are adequate to identify, measure, monitor and control transactions between the firm'sparent undertakingmixed-activity insurance holding company and any of the mixed-activity insurance holding company'ssubsidiary undertakings.

Nature and extent of requirements and allocation of responsibilities within the group

SYSC 12.1.18

See Notes

handbook-guidance
Assessment of the adequacy of a group's systems and controls required by this section will form part of the appropriate regulator's risk management process.

SYSC 12.1.19

See Notes

handbook-guidance
The nature and extent of the systems and controls necessary under SYSC 12.1.8R (1) to address group risk will vary according to the materiality of those risks to the firm and the position of the firm within the group.

SYSC 12.1.20

See Notes

handbook-guidance
In some cases the management of the systems and controls used to address the risks described in SYSC 12.1.8R (1) may be organised on a group-wide basis. If the firm is not carrying out those functions itself, it should delegate them to the group members that are carrying them out. However, this does not relieve the firm of responsibility for complying with its obligations under SYSC 12.1.8R (1). A firm cannot absolve itself of such a responsibility by claiming that any breach of that rule is caused by the actions of another member of the group to whom the firm has delegated tasks. The risk management arrangements are still those of the firm, even though personnel elsewhere in the firm'sgroup are carrying out these functions on its behalf.

SYSC 12.1.21

See Notes

handbook-guidance
SYSC 12.1.8R (1) deals with the systems and controls that a firm should have in respect of the exposure it has to the rest of the group. On the other hand, the purpose of SYSC 12.1.8R (2) and the rules in this section that amplify it is to require groups to have adequate systems and controls. However a group is not a single legal entity on which obligations can be imposed. Therefore the obligations have to be placed on individual firms. The purpose of imposing the obligations on each firm in the group is to make sure that the appropriate regulator can take supervisory action against any firm in a group whose systems and controls do not meet the standards in this section. Thus responsibility for compliance with the rules for group systems and controls is a joint one.

SYSC 12.1.22

See Notes

handbook-guidance
If both a firm and its parent undertaking are subject to SYSC 12.1.8R (2), the appropriate regulator would not expect systems and controls to be duplicated. In this case, the firm should assess whether and to what extent it can rely on its parent's group risk systems and controls.

SYSC 13

Operational risk: systems and controls for insurers

SYSC 13.1

Application

SYSC 13.1.1

See Notes

handbook-guidance
SYSC 13 applies to an insurer unless it is:

SYSC 13.1.2

See Notes

handbook-guidance
SYSC 13 applies to:

only in respect of the activities of the firm carried on from a branch in the United Kingdom.

SYSC 13.1.3

See Notes

handbook-guidance
SYSC 13 applies to a UK ISPV.

SYSC 13.1.4

See Notes

handbook-guidance
SYSC 13 does not apply to an incoming ECA provider acting as such.

SYSC 13.2

Purpose

SYSC 13.2.1

See Notes

handbook-guidance
SYSC 13 provides guidance on how to interpret SYSC 3.1.1 R and SYSC 3.2.6 R, which deal with the establishment and maintenance of systems and controls, in relation to the management of operational risk. Operational risk has been described by the Basel Committee on Banking Supervision as "the risk of loss, resulting from inadequate or failed internal processes, people and systems, or from external events". This chapter covers systems and controls for managing risks concerning any of a firm's operations, such as its IT systems and outsourcing arrangements. It does not cover systems and controls for managing credit, market, liquidity and insurance risk.

SYSC 13.2.2

See Notes

handbook-guidance
Operational risk is a concept that can have a different application for different firms. A firm should assess the appropriateness of the guidance in this chapter in the light of the scale, nature and complexity of its activities as well as its obligations as set out in Principle 3, to organise and control its affairs responsibly and effectively.

SYSC 13.2.3

See Notes

handbook-guidance
A firm should take steps to understand the types of operational risk that are relevant to its particular circumstances, and the operational losses to which they expose the firm. This should include considering the potential sources of operational risk addressed in this chapter: people; processes and systems; external events.

SYSC 13.2.4B

See Notes

handbook-guidance
Operational risk can affect, amongst other things, a firm's solvency. A firm should consider all operational risk events that may affect these matters in establishing and maintaining its systems and controls.

SYSC 13.3

Other related Handbook sections

SYSC 13.3.1B

See Notes

handbook-guidance
The following is a non-exhaustive list of rules and guidance in the Handbook that are relevant to a firm's management of operational risk:
(1) SYSC 14 and INSPRU 5.1 contain specific rules and guidance for the establishment and maintenance of operational risk systems and controls.

SYSC 13.4

Requirements to notify the appropriate regulator

SYSC 13.4.1

See Notes

handbook-guidance
Under Principle 11 and SUP 15.3.1 R, a firm must notify the appropriate regulator immediately of any operational risk matter of which the appropriate regulator would reasonably expect notice. SUP 15.3.8 G provides guidance on the occurrences that this requirement covers, which include a significant failure in systems and controls and a significant operational loss.

SYSC 13.4.2

See Notes

handbook-guidance
Regarding operational risk, matters of which the appropriate regulator would expect notice under Principle 11 include:
(1) any significant operational exposures that a firm has identified;
(2) the firm's invocation of a business continuity plan; and
(3) any other significant change to a firm's organisation, infrastructure or business operating environment.

SYSC 13.5

Risk management terms

SYSC 13.5.1

See Notes

handbook-guidance
In this chapter, the following interpretations of risk management terms apply:
(1) a firm's risk culture encompasses the general awareness, attitude and behaviour of its employees and appointed representativesor, where applicable, its tied agents,to risk and the management of risk within the organisation;
(2) operational exposure means the degree of operational risk faced by a firm and is usually expressed in terms of the likelihood and impact of a particular type of operational loss occurring (for example, fraud, damage to physical assets);
(3) a firm's operational risk profile describes the types of operational risks that it faces, including those operational risks within a firm that may have an adverse impact upon the quality of service afforded to its clients, and its exposure to these risks.

SYSC 13.6

People

SYSC 13.6.1

See Notes

handbook-guidance
A firm should consult SYSC 3.2.2 G to SYSC 3.2.5 G for guidance on reporting lines and delegation of functions within a firm and SYSC 3.2.13 G to SYSC 3.2.14 G for guidance on the suitability of employees and appointed representatives or, where applicable, its tied agents. This section provides additional guidance on management of employees and other human resources in the context of operational risk.

SYSC 13.6.2

See Notes

handbook-guidance
A firm should establish and maintain appropriate systems and controls for the management of operational risks that can arise from employees. In doing so, a firm should have regard to:
(1) its operational risk culture, and any variations in this or its human resource management practices, across its operations (including, for example, the extent to which the compliance culture is extended to in-house IT staff);
(2) whether the way employees are remunerated exposes the firm to the risk that it will not be able to meet its regulatory obligations (see SYSC 3.2.18 G). For example, a firm should consider how well remuneration and performance indicators reflect the firm's tolerance for operational risk, and the adequacy of these indicators for measuring performance;
(3) whether inadequate or inappropriate training of client-facing services exposes clients to risk of loss or unfair treatment including by not enabling effective communication with the firm;
(4) the extent of its compliance with applicable regulatory and other requirements that relate to the welfare and conduct of employees;
(5) its arrangements for the continuity of operations in the event of employee unavailability or loss;
(6) the relationship between indicators of 'people risk' (such as overtime, sickness, and employee turnover levels) and exposure to operational losses; and
(7) the relevance of all the above to employees of a third party supplier who are involved in performing an outsourcing arrangement. As necessary, a firm should review and consider the adequacy of the staffing arrangements and policies of a service provider.

Employee responsibilities

SYSC 13.6.3

See Notes

handbook-guidance
A firm should ensure that all employees are capable of performing, and aware of, their operational risk management responsibilities, including by establishing and maintaining:
(1) appropriate segregation of employees' duties and appropriate supervision of employees in the performance of their responsibilities (see SYSC 3.2.5 G);
(2) appropriate recruitment and subsequent processes to review the fitness and propriety of employees (see SYSC 3.2.13 G and SYSC 3.2.14 G);
(3) clear policy statements and appropriate systems and procedures manuals that are effectively communicated to employees and available for employees to refer to as required. These should cover, for example, compliance, IT security and health and safety issues;
(4) training processes that enable employees to attain and maintain appropriate competence; and
(5) appropriate and properly enforced disciplinary and employment termination policies and procedures.

SYSC 13.6.4

See Notes

handbook-guidance
A firm should have regard to SYSC 13.6.3 G in relation to approved persons, people occupying positions of high personal trust (for example, security administration, payment and settlement functions); and people occupying positions requiring significant technical competence (for example, derivatives trading and technical security administration). A firm should also consider the rules and guidance for approved persons in other parts of the Handbook (including APER and SUP) and the rules and guidance on senior manager responsibilities in SYSC 2.1 (Apportionment of Responsibilities).

SYSC 13.7

Processes and systems

SYSC 13.7.1

See Notes

handbook-guidance
A firm should establish and maintain appropriate systems and controls for managing operational risks that can arise from inadequacies or failures in its processes and systems (and, as appropriate, the systems and processes of third party suppliers, agents and others). In doing so a firm should have regard to:
(1) the importance and complexity of processes and systems used in the end-to-end operating cycle for products and activities (for example, the level of integration of systems);
(2) controls that will help it to prevent system and process failures or identify them to permit prompt rectification (including pre-approval or reconciliation processes);
(3) whether the design and use of its processes and systems allow it to comply adequately with regulatory and other requirements;
(4) its arrangements for the continuity of operations in the event that a significant process or system becomes unavailable or is destroyed; and
(5) the importance of monitoring indicators of process or system risk (including reconciliation exceptions, compensation payments for client losses and documentation errors) and experience of operational losses and exposures.

Internal documentation

SYSC 13.7.2

See Notes

handbook-guidance
Internal documentation may enhance understanding and aid continuity of operations, so a firm should ensure the adequacy of its internal documentation of processes and systems (including how documentation is developed, maintained and distributed) in managing operational risk.

External documentation

SYSC 13.7.3

See Notes

handbook-guidance
A firm may use external documentation (including contracts, transaction statements or advertising brochures) to define or clarify terms and conditions for its products or activities, its business strategy (for example, including through press statements), or its brand. Inappropriate or inaccurate information in external documents can lead to significant operational exposure.

SYSC 13.7.4

See Notes

handbook-guidance
A firm should ensure the adequacy of its processes and systems to review external documentation prior to issue (including review by its compliance, legal and marketing departments or by appropriately qualified external advisers). In doing so, a firm should have regard to:
(1) compliance with applicable regulatory and other requirements;
(2) the extent to which its documentation uses standard terms (that are widely recognised, and have been tested in the courts) or non-standard terms (whose meaning may not yet be settled or whose effectiveness may be uncertain);
(3) the manner in which its documentation is issued; and
(4) the extent to which confirmation of acceptance is required (including by customer signature or counterparty confirmation).

IT systems

SYSC 13.7.5

See Notes

handbook-guidance
IT systems include the computer systems and infrastructure required for the automation of processes, such as application and operating system software; network infrastructure; and desktop, server, and mainframe hardware. Automation may reduce a firm's exposure to some 'people risks' (including by reducing human errors or controlling access rights to enable segregation of duties), but will increase its dependency on the reliability of its IT systems.

SYSC 13.7.6

See Notes

handbook-guidance
A firm should establish and maintain appropriate systems and controls for the management of its IT system risks, having regard to:
(1) its organisation and reporting structure for technology operations (including the adequacy of senior management oversight);
(2) the extent to which technology requirements are addressed in its business strategy;
(3) the appropriateness of its systems acquisition, development and maintenance activities (including the allocation of responsibilities between IT development and operational areas, processes for embedding security requirements into systems); and
(4) the appropriateness of its activities supporting the operation of IT systems (including the allocation of responsibilities between business and technology areas).

Information security

SYSC 13.7.7

See Notes

handbook-guidance
Failures in processing information (whether physical, electronic or known by employees but not recorded) or of the security of the systems that maintain it can lead to significant operational losses. A firm should establish and maintain appropriate systems and controls to manage its information security risks. In doing so, a firm should have regard to:
(1) confidentiality: information should be accessible only to persons or systems with appropriate authority, which may require firewalls within a system, as well as entry restrictions;
(2) integrity: safeguarding the accuracy and completeness of information and its processing;
(3) availability and authentication: ensuring that appropriately authorised persons or systems have access to the information when required and that their identity is verified;
(4) non-repudiation and accountability: ensuring that the person or system that processed the information cannot deny their actions.

SYSC 13.7.8

See Notes

handbook-guidance
A firm should ensure the adequacy of the systems and controls used to protect the processing and security of its information, and should have regard to established security standards such as ISO17799 (Information Security Management).

Geographic location

SYSC 13.7.9

See Notes

handbook-guidance
Operating processes and systems at separate geographic locations may alter a firm's operational risk profile (including by allowing alternative sites for the continuity of operations). A firm should understand the effect of any differences in processes and systems at each of its locations, particularly if they are in different countries, having regard to:
(1) the business operating environment of each country (for example, the likelihood and impact of political disruptions or cultural differences on the provision of services);
(2) relevant local regulatory and other requirements regarding data protection and transfer;
(3) the extent to which local regulatory and other requirements may restrict its ability to meet regulatory obligations in the United Kingdom (for example, access to information by the appropriate regulator and local restrictions on internal or external audit); and
(4) the timeliness of information flows to and from its headquarters and whether the level of delegated authority and the risk management structures of the overseas operation are compatible with the firm's head office arrangements.

SYSC 13.8

External events and other changes

SYSC 13.8.1

See Notes

handbook-guidance
The exposure of a firm to operational risk may increase during times of significant change to its organisation, infrastructure and business operating environment (for example, following a corporate restructure or changes in regulatory requirements). Before, during, and after expected changes, a firm should assess and monitor their effect on its risk profile, including with regard to:
(1) untrained or de-motivated employees or a significant loss of employees during the period of change, or subsequently;
(2) inadequate human resources or inexperienced employees carrying out routine business activities owing to the prioritisation of resources to the programme or project;
(3) process or system instability and poor management information due to failures in integration or increased demand; and
(4) inadequate or inappropriate processes following business re-engineering.

SYSC 13.8.2

See Notes

handbook-guidance
A firm should establish and maintain appropriate systems and controls for the management of the risks involved in expected changes, such as by ensuring:
(1) the adequacy of its organisation and reporting structure for managing the change (including the adequacy of senior management oversight);
(2) the adequacy of the management processes and systems for managing the change (including planning, approval, implementation and review processes); and
(3) the adequacy of its strategy for communicating changes in systems and controls to its employees.

Unexpected changes and business continuity management

SYSC 13.8.3

See Notes

handbook-guidance
SYSC 3.2.19 G provides high level guidance on business continuity. This section provides additional guidance on managing business continuity in the context of operational risk.

SYSC 13.8.4A

See Notes

handbook-guidance
The high level requirement for appropriate systems and controls at SYSC 3.1.1 R applies at all times, including when a business continuity plan is invoked. However, the appropriate regulator recognises that, in an emergency, a firm may be unable to comply with a particular rule and the conditions for relief are outlined in Chapter 2 of the General Provisions Part of the PRA Rulebook.

SYSC 13.8.5

See Notes

handbook-guidance
A firm should consider the likelihood and impact of a disruption to the continuity of its operations from unexpected events. This should include assessing the disruptions to which it is particularly susceptible (and the likely timescale of those disruptions) including through:
(1) loss or failure of internal and external resources (such as people, systems and other assets);
(2) the loss or corruption of its information; and
(3) external events (such as vandalism, war and "acts of God").

SYSC 13.8.6

See Notes

handbook-guidance
A firm should implement appropriate arrangements to maintain the continuity of its operations. A firm should act to reduce both the likelihood of a disruption (including by succession planning, systems resilience and dual processing); and the impact of a disruption (including by contingency arrangements and insurance).

SYSC 13.8.7

See Notes

handbook-guidance
A firm should document its strategy for maintaining continuity of its operations, and its plans for communicating and regularly testing the adequacy and effectiveness of this strategy. A firm should establish:
(1) formal business continuity plans that outline arrangements to reduce the impact of a short, medium or long-term disruption, including:
(a) resource requirements such as people, systems and other assets, and arrangements for obtaining these resources;
(b) the recovery priorities for the firm's operations; and
(c) communication arrangements for internal and external concerned parties (including the appropriate regulator, clients and the press);
(2) escalation and invocation plans that outline the processes for implementing the business continuity plans, together with relevant contact information;
(3) processes to validate the integrity of information affected by the disruption;
(4) processes to review and update (1) to (3) following changes to the firm's operations or risk profile (including changes identified through testing).

SYSC 13.8.8

See Notes

handbook-guidance
The use of an alternative site for recovery of operations is common practice in business continuity management. A firm that uses an alternative site should assess the appropriateness of the site, particularly for location, speed of recovery and adequacy of resources. Where a site is shared, a firm should evaluate the risk of multiple calls on shared resources and adjust its plans accordingly.

SYSC 13.9

Outsourcing

SYSC 13.9.1

See Notes

handbook-guidance
As SYSC 3.2.4 G explains, a firm cannot contract out its regulatory obligations and should take reasonable care to supervise the discharge of outsourced functions. This section provides additional guidance on managing outsourcing arrangements (and will be relevant, to some extent, to other forms of third party dependency) in relation to operational risk. Outsourcing may affect a firm's exposure to operational risk through significant changes to, and reduced control over, people, processes and systems used in outsourced activities.

SYSC 13.9.2

See Notes

handbook-guidance
Firms should take particular care to manage material outsourcing arrangements and, as SUP 15.3.8 G (1)(e) explains, a firm should notify the appropriate regulator when it intends to enter into a material outsourcing arrangement.

SYSC 13.9.3

See Notes

handbook-guidance
A firm should not assume that because a service provider is either a regulated firm or an intra-group entity an outsourcing arrangement with that provider will, in itself, necessarily imply a reduction in operational risk.

SYSC 13.9.4

See Notes

handbook-guidance
Before entering into, or significantly changing, an outsourcing arrangement, a firm should:
(1) analyse how the arrangement will fit with its organisation and reporting structure; business strategy; overall risk profile; and ability to meet its regulatory obligations;
(2) consider whether the agreements establishing the arrangement will allow it to monitor and control its operational risk exposure relating to the outsourcing;
(3) conduct appropriate due diligence of the service provider's financial stability and expertise;
(4) consider how it will ensure a smooth transition of its operations from its current arrangements to a new or changed outsourcing arrangement (including what will happen on the termination of the contract); and
(5) consider any concentration risk implications such as the business continuity implications that may arise if a single service provider is used by several firms.

SYSC 13.9.5

See Notes

handbook-guidance
In negotiating its contract with a service provider, a firm should have regard to:
(1) reporting or notification requirements it may wish to impose on the service provider;
(2) whether sufficient access will be available to its internal auditors, external auditors or actuaries (see section 341 of the Act) and to the appropriate regulator (see SUP 2.3.5 R (Access to premises) and SUP 2.3.7 R (Suppliers under material outsourcing arrangements);
(3) information ownership rights, confidentiality agreements and Chinese walls to protect client and other information (including arrangements at the termination of the contract);
(4) the adequacy of any guarantees and indemnities;
(5) the extent to which the service provider must comply with the firm's policies and procedures (covering, for example, information security);
(6) the extent to which a service provider will provide business continuity for outsourced operations, and whether exclusive access to its resources is agreed;
(7) the need for continued availability of software following difficulty at a third party supplier;
(8) the processes for making changes to the outsourcing arrangement (for example, changes in processing volumes, activities and other contractual terms) and the conditions under which the firm or service provider can choose to change or terminate the outsourcing arrangement, such as where there is:
(a) a change of ownership or control (including insolvency or receivership) of the service provider or firm; or
(b) significant change in the business operations (including sub-contracting) of the service provider or firm; or
(c) inadequate provision of services that may lead to the firm being unable to meet its regulatory obligations.

SYSC 13.9.6

See Notes

handbook-guidance
In implementing a relationship management framework, and drafting the service level agreement with the service provider, a firm should have regard to:
(1) the identification of qualitative and quantitative performance targets to assess the adequacy of service provision, to both the firm and its clients, where appropriate;
(2) the evaluation of performance through service delivery reports and periodic self certification or independent review by internal or external auditors; and
(3) remedial action and escalation processes for dealing with inadequate performance.

SYSC 13.9.7

See Notes

handbook-guidance
In some circumstances, a firm may find it beneficial to use externally validated reports commissioned by the service provider, to seek comfort as to the adequacy and effectiveness of its systems and controls. The use of such reports does not absolve the firm of responsibility to maintain other oversight. In addition, the firm should not normally have to forfeit its right to access, for itself or its agents, to the service provider's premises.

SYSC 13.9.8

See Notes

handbook-guidance
A firm should ensure that it has appropriate contingency arrangements to allow business continuity in the event of a significant loss of services from the service provider. Particular issues to consider include a significant loss of resources at, or financial failure of, the service provider, and unexpected termination of the outsourcing arrangement.

SYSC 13.10

Insurance

SYSC 13.10.1

See Notes

handbook-guidance
Whilst a firm may take out insurance with the aim of reducing the monetary impact of operational risk events, non-monetary impacts may remain (including impact on the firm's reputation). A firm should not assume that insurance alone can replace robust systems and controls.

SYSC 13.10.2

See Notes

handbook-guidance
When considering utilising insurance, a firm should consider:
(1) the time taken for the insurer to pay claims (including the potential time taken in disputing cover) and the firm's funding of operations whilst awaiting payment of claims;
(2) the financial strength of the insurer, which may determine its ability to pay claims, particularly where large or numerous small claims are made at the same time; and
(3) the effect of any limiting conditions and exclusion clauses that may restrict cover to a small number of specific operational losses and may exclude larger or hard to quantify indirect losses (such as lost business or reputational costs).

SYSC 14

Risk management and associated systems and controls for insurers

SYSC 14.1

Application

SYSC 14.1.1

See Notes

handbook-rule
This section applies to an insurer unless it is:

SYSC 14.1.2

See Notes

handbook-rule
This section applies to:only in respect of the activities of the firm carried on from a branch in the United Kingdom.

SYSC 14.1.2A

See Notes

handbook-rule
This section does not apply to an incoming ECA provider acting as such.

Purpose

SYSC 14.1.3

See Notes

handbook-guidance
This section sets out some rules and guidance on the establishment and maintenance of systems and controls for the management of a firm's prudential risks. A firm's prudential risks are those that can reduce the adequacy of its financial resources, and as a result may adversely affect its safety and soundness or prejudice policyholders. Some key prudential risks are credit, market, liquidity, operational, insurance and group risk.

SYSC 14.1.4

See Notes

handbook-guidance
The purpose of this section is to serve the PRA's statutory objectives of promoting the safety and soundness of PRA-authorised persons and contributing to the securing of an appropriate degree of protection for those who are, or may become, policyholders.In particular, this section aims to reduce the risk that a firm may pose a threat to these statutory objectives , either because it is not prudently managed, or because it has inadequate systems to permit appropriate senior management oversight and control of its business.

SYSC 14.1.5

See Notes

handbook-guidance
Both adequate financial resources and adequate systems and controls are necessary for the effective management of prudential risks. A firm may hold financial resources to help alleviate the financial consequences of minor weaknesses in its systems and controls (to reflect possible impairments in the accuracy or timing of its identification, measurement, monitoring and control of certain risks, for example). However, financial resources cannot adequately compensate for significant weaknesses in a firm's systems and controls that could fundamentally undermine its ability to control its affairs effectively.

How to interpret this section

SYSC 14.1.6

See Notes

handbook-guidance
This section is designed to amplify the requirement that a firm must organise and control its affairs responsibly and effectively, and have effective risk strategies and adequate risk management systems. This section is also designed to be complementary to SYSC 2, SYSC 3 and SYSC 13 in that it contains some additional rules and guidance on senior management arrangements and associated systems and controls for firms that could have a significant impact on the PRA's objectives.

SYSC 14.1.7

See Notes

handbook-guidance
In addition to supporting SYSC 2, SYSC 3 and SYSC 13, this section lays the foundations for the more specific rules and guidance on the management of credit, market, liquidity, operational, insurance and group risks that are in SYSC 11, SYSC 12, SYSC 15, SYSC 16 and INSPRU 5.1. Many of the elements raised here in general terms are expanded upon in these sections.

SYSC 14.1.8

See Notes

handbook-guidance
Appropriate systems and controls for the management of prudential risk will vary from firm to firm. Therefore, most of the material in this section is guidance. In interpreting this guidance, a firm should have regard to its own particular circumstances. Following from SYSC 3.1.2 G, this should include considering the nature, scale and complexity of its business, which may be influenced by factors such as:
(1) the diversity of its operations, including geographical diversity;
(2) the volume and size of its transactions; and
(3) the degree of risk associated with each area of its operation.

SYSC 14.1.9

See Notes

handbook-guidance
The guidance contained within this section is not designed to be exhaustive. When establishing and maintaining its systems and controls a firm should have regard not only to other parts of the Handbook, but also to material that is issued by other industry or regulatory bodies.

The role of systems and controls

SYSC 14.1.10

See Notes

handbook-guidance
A firm's systems and controls should provide its senior management with an adequate means of managing the firm. As such, they should be designed and maintained to ensure that senior management is able to make and implement integrated business planning and risk management decisions on the basis of accurate information about the risks that the firm faces and the financial resources that it has.

The prudential responsibilities of senior management and the apportionment of those responsibilities

SYSC 14.1.11

See Notes

handbook-guidance
Ultimate responsibility for the management of prudential risks rests with a firm'sgoverning body and relevant senior managers, and in particular with those individuals that undertake the firm'sgoverning functions and the apportionment and oversight function. In particular, these responsibilities should include:
(1) overseeing the establishment of an appropriate business plan and risk management strategy;
(2) overseeing the development of appropriate systems for the management of prudential risks;
(3) establishing adequate internal controls; and
(4) ensuring that the firm maintains adequate financial resources.

The delegation of responsibilities within the firm

SYSC 14.1.12

See Notes

handbook-guidance
Although authority for the management of a firm's prudential risks is likely to be delegated, to some degree, to individuals at all levels of the organisation, overall responsibility for this activity should not be delegated from its governing body and relevant senior managers.

SYSC 14.1.13

See Notes

handbook-guidance
Where delegation does occur, a firm should ensure that appropriate systems and controls are in place to allow its governing body and relevant senior managers to participate in and control its prudential risk management activities. The governing body and relevant senior managers should approve and periodically review these systems and controls to ensure that delegated duties are being performed correctly.

Firms subject to risk management on a group basis

SYSC 14.1.14

See Notes

handbook-guidance
Some firms organise the management of their prudential risks on a stand-alone basis. In some cases, however, the management of a firm's prudential risks may be entirely or largely subsumed within a whole group or sub-group basis.
(1) The latter arrangement may still comply with the PRA's policyon systems and controls if the firm'sgoverning body formally delegates the functions that are to be carried out in this way to the persons or bodies that are to carry them out. Before doing so, however, the firm'sgoverning body should have explicitly considered the arrangement and decided that it is appropriate and that it enables the firm to meet the PRA's policy on systems and controls. The firm should notify the PRA if the management of its prudential risks is to be carried out in this way.
(2) Where the management of a firm's prudential risks is largely, but not entirely, subsumed within a whole group or sub-group basis, the firm should ensure that any prudential issues that are specific to the firm are:
(a) identified and adequately covered by those to whom it has delegated certain prudential risk management tasks; or
(b) dealt with by the firm itself.

SYSC 14.1.15

See Notes

handbook-guidance
Any delegation of the management of prudential risks to another part of a firm'sgroup does not relieve it of responsibility for complying with the PRA's policy on systems and controls. A firm cannot absolve itself of such a responsibility by claiming that any breach of the PRA's policy on systems and controls is effected by the actions of a third party firm to whom the firm has delegated tasks. The risk management arrangements are still those of the firm, even though personnel elsewhere in the firm'sgroup are carrying out these functions on its behalf. Thus any references in