SYSC 3
Systems and Controls
SYSC 3.1
Systems and Controls
- 01/12/2004
SYSC 3.1.1
See Notes
A firm must take reasonable care to establish and maintain such systems and controls as are appropriate to its business.
- 01/04/2013
SYSC 3.1.2
See Notes
(1) The nature and extent of the systems and controls which a firm will need to maintain under SYSC 3.1.1 R will depend upon a variety of factors including:
(a) the nature, scale and complexity of its business;
(b) the diversity of its operations, including geographical diversity;
(c) the volume and size of its transactions; and
(d) the degree of risk associated with each area of its operation.
(2) To enable it to comply with its obligation to maintain appropriate systems and controls, a firm should carry out a regular review of them.
(3) The areas typically covered by the systems and controls referred to in SYSC 3.1.1 R are those identified in SYSC 3.2. Detailed requirements regarding systems and controls relevant to particular business areas or particular types of firm are covered elsewhere in the Handbook.
- 01/04/2013
SYSC 3.1.2A
See Notes
- 01/04/2013
SYSC 3.1.3
See Notes
Where the
UK Corporate Governance Code
is relevant to a firm, the
appropriate regulator, in considering whether the firm's obligations under SYSC 3.1.1 R have been met, will give it due credit for following corresponding provisions in the codeand related guidance.
- 01/04/2013
SYSC 3.1.5
See Notes
SYSC 2.1.3 R (2) prescribes how a firm must allocate the function of overseeing the establishment and maintenance of systems and controls described in SYSC 3.1.1 R.
- 01/04/2013
SYSC 3.1.6
See Notes
A firm which is not a common platform firm must employ personnel with the skills, knowledge and expertise necessary for the discharge of the responsibilities allocated to them.
- 01/04/2013
SYSC 3.1.7
See Notes
When complying with the competent employees rules, a firm must take into account the nature, scale and complexity of its business and the nature and range of financial services and activities undertaken in the course of that business.
- 01/04/2013
SYSC 3.1.10
See Notes
If a firm requires employees who are not subject to a qualification requirement in TC to pass a relevant examination from the list of recommended examinations maintained by the Financial Skills Partnership, the appropriate regulator will take that into account when assessing whether the firm has ensured that the employee satisfies the knowledge component of the competent employees rule.
- 01/04/2013
SYSC 3.2
Areas covered by systems and controls
- 01/12/2004
Introduction
SYSC 3.2.1
See Notes
This section covers some of the main issues which a firm is expected to consider in establishing and maintaining the systems and controls appropriate to its business, as required by SYSC 3.1.1 R.
- 01/04/2013
Organisation
SYSC 3.2.2
See Notes
- 01/04/2013
SYSC 3.2.3
See Notes
(1) A firm's governing body is likely to delegate many functions and tasks for the purpose of carrying out its business. When functions or tasks are delegated, either to employees or to appointed representatives or, where applicable, its tied agents, appropriate safeguards should be put in place.
(2) When there is delegation, a firm should assess whether the recipient is suitable to carry out the delegated function or task, taking into account the degree of responsibility involved.
(3) The extent and limits of any delegation should be made clear to those concerned.
(4) There should be arrangements to supervise delegation, and to monitor the discharge of delegates functions or tasks.
(5) If cause for concern arises through supervision and monitoring or otherwise, there should be appropriate follow-up action at an appropriate level of seniority within the firm.
- 01/04/2013
SYSC 3.2.4
See Notes
(1) The guidance relevant to delegation within the firm is also relevant to external delegation ('outsourcing'). A firm cannot contract out its regulatory obligations. So, for example, under Principle 3 a firm should take reasonable care to supervise the discharge of outsourced functions by its contractor.
(2) A firm should take steps to obtain sufficient information from its contractor to enable it to assess the impact of outsourcing on its systems and controls.
- 01/04/2013
SYSC 3.2.5
See Notes
Where it is made possible and appropriate by the nature, scale and complexity of its business, a firm should segregate the duties of individuals and departments in such a way as to reduce opportunities for financial crime or contravention of requirements and standards under the regulatory system. For example, the duties of front-office and back-office staff should be segregated so as to prevent a single individual initiating, processing and controlling transactions.
- 01/04/2013
The compliance function
SYSC 3.2.7
See Notes
(1) Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to have a separate compliance function. The organisation and responsibilities of a compliance function should be documented. A compliance function should be staffed by an appropriate number of competent staff who are sufficiently independent to perform their duties objectively. It should be adequately resourced and should have unrestricted access to the firm's relevant records as well as ultimate recourse to its governing body.
(2) [deleted]
(3) [deleted]
- 01/04/2013
Risk assessment
SYSC 3.2.10
See Notes
(1) Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to have a separate risk assessment function responsible for assessing the risks that the firm faces and advising the governing body and senior managers on them.
(2) The organisation and responsibilities of a risk assessment function should be documented. The function should be adequately resourced and staffed by an appropriate number of competent staff who are sufficiently independent to perform their duties objectively.
(3) The term 'risk assessment function' refers to the generally understood concept of risk assessment within a firm, that is, the function of setting and controlling risk exposure. The risk assessment function is not a controlled function itself, but is part of the systems and controls function (CF28).
- 01/04/2013
Management information
SYSC 3.2.11B
See Notes
(1)
A firm's arrangements should be such as to furnish its governing body with the information it needs to play its part in identifying, measuring, managing and controlling risks of regulatory concern. Three factors will be the relevance, reliability and timeliness of that information.
(2) Risks of regulatory concern are those risks which relate to the safety and soundness of PRA-authorised persons.
- 01/04/2013
SYSC 3.2.12
See Notes
It is the responsibility of the firm to decide what information is required, when, and for whom, so that it can organise and control its activities and can comply with its regulatory obligations. The detail and extent of information required will depend on the nature, scale and complexity of the business.
- 01/04/2013
Employees and agents
SYSC 3.2.13
See Notes
A firm's systems and controls should enable it to satisfy itself of the suitability of anyone who acts for it.
- 01/04/2013
SYSC 3.2.14
See Notes
(1)
SYSC 3.2.13 G includes assessing an individual's honesty, and competence. This assessment should normally be made at the point of recruitment. An individual's honesty need not normally be revisited unless something happens to make a fresh look appropriate.
(2) Any assessment of an individual's suitability should take into account the level of responsibility that the individual will assume within the firm. The nature of this assessment will generally differ depending upon whether it takes place at the start of the individual's recruitment, at the end of the probationary period (if there is one) or subsequently.
(3) [deleted]
(4) The requirements on firms with respect to approved persons are in Part V of the Act (Performance of regulated activities) and SUP 10.
- 01/04/2013
Audit committee
SYSC 3.2.15
See Notes
Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to form an audit committee. An audit committee could typically examine management's process for ensuring the appropriateness and effectiveness of systems and controls, examine the arrangements made by management to ensure compliance with requirements and standards under the regulatory system, oversee the functioning of the internal audit function (if applicable - see SYSC 3.2.16 G) and provide an interface between management and the external auditors. It should have an appropriate number of non-executive directors and it should have formal terms of reference.
- 01/04/2013
Internal audit
SYSC 3.2.16
See Notes
(1) Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to delegate much of the task of monitoring the appropriateness and effectiveness of its systems and controls to an internal audit function. An internal audit function should have clear responsibilities and reporting lines to an audit committee or appropriate senior manager, be adequately resourced and staffed by competent individuals, be independent of the day-to-day activities of the firm and have appropriate access to a firm's records.
(2) The term 'internal audit function' refers to the generally understood concept of internal audit within a firm, that is, the function of assessing adherence to and the effectiveness of internal systems and controls, procedures and policies. The internal audit function is not a controlled function itself, but is part of the systems and controls function (CF28).
- 01/04/2013
Business strategy
SYSC 3.2.17
See Notes
A firm should plan its business appropriately so that it is able to identify, measure, manage and control risks of regulatory concern (see SYSC 3.2.11 G (2)). In some firms, depending on the nature, scale and complexity of their business, it may be appropriate to have business plans or strategy plans documented and updated on a regular basis to take account of changes in the business environment.
- 01/04/2013
Remuneration policies
SYSC 3.2.18
See Notes
It is possible that firms' remuneration policies will from time to time lead to tensions between the ability of the firm to meet the requirements and standards under the regulatory system and the personal advantage of those who act for it. Where tensions exist, these should be appropriately managed.
- 01/04/2013
Business continuity
SYSC 3.2.19
See Notes
A firm should have in place appropriate arrangements, having regard to the nature, scale and complexity of its business, to ensure that it can continue to function and meet its regulatory obligations in the event of an unforeseen interruption. These arrangements should be regularly updated and tested to ensure their effectiveness.
- 01/04/2013
Records
SYSC 3.2.20
See Notes
(1) A firm must take reasonable care to make and retain adequate records of matters and dealings (including accounting records) which are the subject of requirements and standards under the regulatory system.
(2) Subject to (3) and to any other record-keeping rule in the Handbook, the records required by (1) or by such other rule must be capable of being reproduced in the English language on paper.
(3) If a firm's records relate to business carried on from an establishment in a country or territory outside the United Kingdom, an official language of that country or territory may be used instead of the English language as required by (2).
- 01/04/2013
SYSC 3.2.21
See Notes
A firm should have appropriate systems and controls in place to fulfil the firm's regulatory and statutory obligations with respect to adequacy, access, periods of retention and security of records. The general principle is that records should be retained for as long as is relevant for the purposes for which they are made.
- 01/04/2013