SYSC 1
Application and purpose
SYSC 1.1
Application of SYSC 2 and SYSC 3
- 01/12/2004
Purpose of this section
SYSC 1.1.-2
See Notes
- 01/12/2001
SYSC 1.1.-1
See Notes
- 31/12/2004
Who?
SYSC 1.1.1
See Notes
SYSC 2 and SYSC 3 apply to every firm except that:
- (1) for an incoming EEA firm or an incoming Treaty firm:
- (a) SYSC 2.1.1 R and SYSC 2.1.2 G do not apply;
- (b) SYSC 2.1.3 R to SYSC 2.2.3 G apply, but only in relation to allocation of the function in SYSC 2.1.3 R (2) and only in so far as responsibility for the matter in question is not reserved by a European Community instrument to the firm's Home State regulator; and
- (c) SYSC 3 applies, but only in so far as responsibility for the matter in question is not reserved by a European Community instrument to the firm's Home State regulator;
- (2) for an incoming EEA firm which has permission only for cross border services and which does not carry on regulated activities in the United Kingdom, SYSC 2 and SYSC 3 do not apply;
- (2A) for an incoming Treaty firm which has permission only for cross border services and which does not carry on regulated activities in the United Kingdom, SYSC 3.2.6A R to SYSC 3.2.6J G do not apply;
- (3) for a sole trader:
- (a) SYSC 2 does not apply as long as he does not employ any person who is required to be approved under section 59 of the Act (Approval for particular arrangements);
- (b) SYSC 3.2.6I R does not apply if he has no employees;
- (4) for a UCITS qualifier:
- (a) SYSC 2.1.1 R and SYSC 2.1.2 G do not apply;
- (b) SYSC 2.1.3 R to SYSC 2.2.3 G apply, but only in relation to allocation of the function in SYSC 2.1.3 R (2) and only with respect to the activities in SYSC 1.1.4 R;
- (c) SYSC 3 applies, but only with respect to the activities in SYSC 1.1.4 R;
- (5) for an authorised professional firm when carrying on non-mainstream regulated activities, SYSC 3.2.6A R to SYSC 3.2.6J G do not apply; and
- (6) SYSC 3.2.23 R to SYSC 3.2.36 R apply only to a BIPRU firm .
SYSC 1.1.2
See Notes
- (1) Question 12 in SYSC 2.1.6 G and SYSC App 1 contain guidance on SYSC 1.1.1 R (1)(b) and (c).
- (2) SYSC 1.1.7 R and SYSC 1.1.10 R further restrict the territorial application of SYSC 2 and SYSC 3 for an incoming EEA firm, incoming Treaty firm or UCITS qualifier.
- (3) SYSC 1.1.1 R (4) puts incoming EEA firm on an equal footing with unauthorised overseas persons who utilise the overseas persons exclusions in article 72 of the Regulated Activities Order.
What?
SYSC 1.1.3
See Notes
SYSC 2 and SYSC 3 apply with respect to the carrying on of:
- (1) regulated activities;
- (2) activities that constitute dealing in investments as principal, disregarding the exclusion in article 15 of the Regulated Activities Order (Absence of holding out etc); and
- (3) ancillary activities in relation to designated investment business, home finance activity and insurance mediation activity;
except that SYSC 3.2.6A R to SYSC 3.2.6J G do not apply as described in SYSC 1.1.3A R.
SYSC 1.1.3A
See Notes
SYSC 3.2.6A R to SYSC 3.2.6J G do not apply:
- (1) with respect to the activities described in SYSC 1.1.3 R (2) and (3); or
- (2) in relation to the following regulated activities:
- (a) general insurance business;
- (b) insurance mediation activity in relation to a general insurance contract or pure protection contract;
- (c) long-term insurance business which is outside the Consolidated Life Directive (unless it is otherwise one of the regulated activities specified in this rule);
- (d) business relating to contracts which are within the Regulated Activities Order only because they fall within paragraph (e) of the definition of "contract of insurance" in article 3 of that Order;
- (e)
- (i) arranging, by the Society of Lloyd's, of deals in general insurance contracts written at Lloyd's; and
- (ii) managing the underwriting capacity of a Lloyd's syndicate as a managing agent at Lloyd's; and
- (f) mortgage mediation activity and administering a regulated mortgage contract
SYSC 1.1.4
See Notes
SYSC 2 and SYSC 3, except SYSC 3.2.6A R to SYSC 3.2.6J G, also apply with respect to the communication and approval of financial promotions which:
- (1) if communicated by an unauthorised person without approval would contravene section 21(1) of the Act (Restrictions on financial promotion); and
- (2) may be communicated by a firm without contravening section 238(1) of the Act (Restrictions on promotion of collective investment schemes).
- 01/03/2006
- Past version of SYSC 1.1.4 before 01/03/2006
SYSC 1.1.5
See Notes
SYSC 2 and SYSC 3, except SYSC 3.2.6A R to SYSC 3.2.6J G, also:
- (1) apply with respect to the carrying on of unregulated activities in a prudential context; and
- (2) take into account any activity of other members of a group of which the firm is a member.
- 01/03/2006
- Past version of SYSC 1.1.5 before 01/03/2006
SYSC 1.1.6
See Notes
- 01/12/2001
Where?
SYSC 1.1.7
See Notes
SYSC 1.1.8
See Notes
SYSC 1.1.9
See Notes
- 01/03/2006
- Past version of SYSC 1.1.9 before 01/03/2006
SYSC 1.1.10
See Notes
SYSC 1.1.11
See Notes
- (1) In considering whether to take regulatory action under SYSC 2 or SYSC 3 in relation to activities carried on outside the United Kingdom, the FSA will take into account the standards expected in the market in which the firm is operating.
- (2) Most of the rules in SYSC 3 are linked to other requirements and standards under the regulatory system which have their own territorial limitations so that those SYSC rules are similarly limited in scope.
- 01/05/2002
SYSC 1.1.11A
See Notes
- 01/11/2002
Actions for damages
SYSC 1.1.12
See Notes
- 01/05/2002
SYSC 1.2
Purpose
- 01/12/2004
SYSC 1.2.1
See Notes
The purposes of SYSC are:
- (1) to encourage firms' directors and senior managers to take appropriate practical responsibility for their firms' arrangements on matters likely to be of interest to the FSA because they impinge on the FSA's functions under the Act;
- (2) to increase certainty by amplifying Principle 3, under which a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems;
- (3) to encourage firms to vest responsibility for effective and responsible organisation in specific directors and senior managers;
- (4) to create a common platform of organisational and systems and controls requirements for firms subject to the CRD and/or MiFID; and
- (5) to set out high-level organisational and systems and controls requirements for insurers.
SYSC 1.3
Application of the common platform requirements
- 01/01/2007
Who?
SYSC 1.3.1
See Notes
- 01/01/2007
SYSC 1.3.1A
See Notes
- 01/01/2007
What?
SYSC 1.3.2
See Notes
The common platform organisational requirements apply with respect to the carrying on of the following (unless provided otherwise within a specific rule):
- (1) regulated activities;
- (2) activities that constitute dealing in investments as principal, disregarding the exclusion in article 15 of the Regulated Activities Order (Absence of holding out etc); and
- (3) ancillary activities.
SYSC 1.3.3
See Notes
- 01/01/2007
SYSC 1.3.4
See Notes
SYSC 1.3.5
See Notes
The common platform requirements on financial crime apply as set out in SYSC 1.3.2 R, except that they do not apply:
- (1) with respect to:
- (a) activities that constitute dealing in investments as principal, disregarding the exclusion in article 15 of the Regulated Activities Order (Absence of holding out etc); and
- (b) ancillary activities; or
- (2) in relation to the following regulated activities:
- (a) general insurance business;
- (b) insurance mediation activity in relation to a general insurance contract or pure protection contract;
- (c) long-term insurance business which is outside the Consolidated Life Directive (unless it is otherwise one of the regulated activities specified in this rule);
- (d) business relating to contracts which are within the Regulated Activities Order only because they fall within paragraph (e) of the definition of "contract of insurance" in article 3 of that Order;
- (e)
- (i) arranging by the Society of Lloyd's of deals in general insurance contracts written at Lloyd's; and
- (ii) managing the underwriting capacity of a Lloyd's syndicate as a managing agent at Lloyd's; and
- (f) home finance mediation activity and administering a home finance transaction.
- 01/01/2007
SYSC 1.3.6
See Notes
The common platform organisational requirements, except the common platform requirements on financial crime, also apply with respect to the communication and approval of financial promotions which:
- (1) if communicated by an unauthorised person without approval would contravene section 21(1) of the Act (Restrictions on financial promotion); and
- (2) may be communicated by a firm without contravening section 238(1) of the Act (Restrictions on promotion of collective investment schemes).
- 01/01/2007
SYSC 1.3.7
See Notes
The common platform organisational requirements, except the common platform requirements on financial crime, also:
- (1) apply with respect to the carrying on of unregulated activities in a prudential context; and
- (2) take into account any activity of other members of a group of which the firm is a member.
- 01/01/2007
SYSC 1.3.8
See Notes
- 01/01/2007
Where?
SYSC 1.3.9
See Notes
SYSC 1.3.10
See Notes
SYSC 1.3.11
See Notes
- 01/01/2007
Actions for damages
SYSC 1.3.12
See Notes
- 01/01/2007
SYSC 1.4
Application of SYSC 11 to SYSC 18
- 01/01/2007
- Future version of SYSC 1.4 after 01/01/2010
What?
SYSC 1.4.1
See Notes
Actions for damages
SYSC 1.4.2
See Notes
Export chapter as
SYSC 2
Senior management arrangements
SYSC 2.1
Apportionment of Responsibilities
- 01/12/2004
SYSC 2.1.1
See Notes
A firm must take reasonable care to maintain a clear and appropriate apportionment of significant responsibilities among its directors and senior managers in such a way that:
- (1) it is clear who has which of those responsibilities; and
- (2) the business and affairs of the firm can be adequately monitored and controlled by the directors, relevant senior managers and governing body of the firm.
SYSC 2.1.2
See Notes
SYSC 2.1.3
See Notes
A firm must appropriately allocate to one or more individuals, in accordance with SYSC 2.1.4 R, the functions of:
- (1) dealing with the apportionment of responsibilities under SYSC 2.1.1 R; and
- (2) overseeing the establishment and maintenance of systems and controls under SYSC 3.1.1 R.
SYSC 2.1.4
See Notes
Allocation of functions
This table belongs to SYSC 2.1.3 R
1: Firm type | 2: Allocation of both functions must be to the following individual, if any (see Note): | 3: Allocation to one or more individuals selected from this column is compulsory if there is no allocation to an individual in column 2, but is otherwise optional and additional: |
(1) A firm which is a body corporate and is a member of a group, other than a firm in row (2) | (1) the firm's chief executive (and all of them jointly, if more than one); or |
the firm's and its group's: (1) directors; and (2) senior managers |
(2) a director or senior manager responsible for the overall management of: |
||
(a) the group; or (b) a group division within which some or all of the firm's regulated activities fall |
||
(2) An incoming EEA firm or incoming Treaty firm (note: only the function in SYSC 2.1.3 R (2) must be allocated) | (not applicable) | the firm's and its group's: (1) directors; and (2) senior managers |
(3) Any other firm | the firm's chief executive (and all of them jointly, if more than one) | the firm's and its group's: (1) directors; and (2) senior manager's |
Note: Column 2 does not require the involvement of the chief executive or other executive director or senior manager in an aspect of corporate governance if that would be contrary to generally accepted principles of good corporate governance. |
SYSC 2.1.5
See Notes
SYSC 2.1.6
See Notes
Frequently asked questions about allocation of functions in SYSC 2.1.3 R
This table belongs to SYSC 2.1.5 G
Question | Answer | |
1 | Does an individual to whom a function is allocated under SYSC 2.1.3 R need to be an approved person? | An individual to whom a function is allocated under SYSC 2.1.3 R will be performing the apportionment and oversight function (CF 8, see SUP 10.7.1 R ) and an application must be made to the FSA for approval of the individual before the function is performed under section 59 of the Act (Approval for particular arrangements). There are exceptions from this in SUP 10.1 (Approved persons - Application). In particular, an incoming EEA firm is referred to the EEA investment business oversight function (CF 9, see SUP 10.7.6 R). |
2 | If the allocation is to more than one individual, can they perform the functions, or aspects of the functions, separately? | If the functions are allocated to joint chief executives under SYSC 2.1.4 R, column 2, they are expected to act jointly. If the functions are allocated to an individual under SYSC 2.1.4 R, column 2, in addition to individuals under SYSC 2.1.4 R, column 3, the former may normally be expected to perform a leading role in relation to the functions that reflects his position. Otherwise, yes. |
3 | What is meant by "appropriately allocate" in this context? | The allocation of functions should be compatible with delivering compliance with Principle 3, SYSC 2.1.1 R and SYSC 3.1.1 R. The FSA considers that allocation to one or two individuals is likely to be appropriate for most firms. |
4 | If a committee of management governs a firm or group, can the functions be allocated to every member of that committee? | Yes, as long as the allocation remains appropriate (see Question 3). If the firm also has an individual as chief executive, then the functions must be allocated to that individual as well under SYSC 2.1.4 R, column 2 (see Question 7). |
5 | Does the definition of chief executive include the possessor of equivalent responsibilities with another title, such as a managing director or managing partner? | Yes. |
6 | Is it possible for a firm to have more than one individual as its chief executive? | Although unusual, some firm may wish the responsibility of a chief executive to be held jointly by more than one individual. In that case, each of them will be a chief executive and the functions must be allocated to all of them under SYSC 2.1.4 R, column 2 (see also Questions 2 and 7). |
7 | If a firm has an individual as chief executive, must the functions be allocated to that individual? | Normally, yes, under SYSC 2.1.4 R, column 2. But if the firm is a body corporate and a member of a group, the functions may, instead of to the firm's chief executive, be allocated to a director or senior manager from the group responsible for the overall management of the group or of a relevant group division, so long as this is appropriate (see Question 3). Such individuals will nevertheless require approval by the FSA (see Question 1). If the firm chooses to allocate the functions to a director or senior manager responsible for the overall management of a relevant group division, the FSA would expect that individual to be of a seniority equivalent to or greater than a chief executive of the firm for the allocation to be appropriate. See also Question 14. |
8 | If a firm has a chief executive, can the functions be allocated to other individuals in addition to the chief executive? | Yes. SYSC 2.1.4 R, column 3, permits a firm to allocate the functions, additionally, to the firm's (or where applicable the group's) directors and senior managers as long as this is appropriate (see Question 3). |
9 | What if a firm does not have a chief executive? | Normally, the functions must be allocated to one or more individuals selected from the firm's (or where applicable the group's) directors and senior managers under SYSC 2.1.4 R, column 3. But if the firm: (1) is a body corporate and a member of a group; and (2) the group has a director or senior manager responsible for the overall management of the group or of a relevant group division; then the functions must be allocated to that individual (together, optionally, with individuals from column 3 if appropriate) under SYSC 2.1.4 R, column 2. |
10 | What do you mean by "group division within which some or all of the firm's regulated activities fall"? | A "division" in this context should be interpreted by reference to geographical operations, product lines or any other method by which the group's business is divided. If the firm's regulated activities fall within more than one division and the firm does not wish to allocate the functions to its chief executive, the allocation must, under SYSC 2.1.4 R, be to: (1) a director or senior manager responsible for the overall management of the group; or (2) a director or senior manager responsible for the overall management of one of those divisions; together, optionally, with individuals from column 3 if appropriate. (See also Questions 7 and 9.) |
11 | How does the requirement to allocate the functions in SYSC 2.1.3 R apply to an overseas firm which is not an incoming EEA firm, incoming Treaty firm or UCITS qualifier? | The firm must appropriately allocate those functions to one or more individuals, in accordance with SYSC 2.1.4 R, but: (1) The responsibilities that must be apportioned and the systems and controls that must be overseen are those relating to activities carried on from a UK establishment with certain exceptions (see SYSC 1.1.7 R). Note that SYSC 1.1.10 R does not extend the territorial scope of SYSC 2 for an overseas firm. (2) The chief executive of an overseas firm is the person responsible for the conduct of the firm's business within the United Kingdom (see the definition of "chief executive"). This might, for example, be the manager of the firm's UK establishment, or it might be the chief executive of the firm as a whole, if he has that responsibility. The apportionment and oversight function applies to such a firm, unless it falls within a particular exception from the approved persons regime (see Question 1). |
12 | How does the requirement to allocate the functions in SYSC 2.1.3 R apply to an incoming EEA firm or incoming Treaty firm? | SYSC 1.1.1 R (2) and SYSC 1.1.7 R restrict the application of SYSC 2.1.3 R for such a firm. Accordingly: (1) Such a firm is not required to allocate the function of dealing with apportionment in SYSC 2.1.3 R (1). (2) Such a firm is required to allocate the function of oversight in SYSC 2.1.3 R (2). However, the systems and controls that must be overseen are those relating to matters which the FSA, as Host State regulator, is entitled to regulate (there is guidance on this in SYSC App 1). Those are primarily, but not exclusively, the systems and controls relating to the conduct of the firm's activities carried on from its UK branch. (3) Such a firm need not allocate the function of oversight to its chief executive; it must allocate it to one or more directors and senior managers of the firm or the firm's group under SYSC 2.1.4 R, row (2). (4) An incoming EEA firm which has provision only for cross border services is not required to allocate either function if it does not carry on regulated activities in the United Kingdom; for example if they fall within the overseas persons exclusions in article 72 of the Regulated Activities Order. See also Questions 1 and 15. |
13 | What about a firm that is a partnership or a limited liability partnership? | The FSA envisages that most if not all partners or members will be either directors or senior managers, but this will depend on the constitution of the partnership (particularly in the case of a limited partnership) or limited liability partnership. A partnership or limited liability partnership may also have a chief executive (see Question 5). A limited liability partnership is a body corporate and, if a member of a group, will fall within SYSC 2.1.4 R, row (1) or (2). |
14 | What if generally accepted principles of good corporate governance recommend that the chief executive should not be involved in an aspect of corporate governance? | The Note to SYSC 2.1.4 R provides that the chief executive or other executive director or senior manager need not be involved in such circumstances. For example, the Combined Code developed by the Committee on Corporate Governance recommends that the board of a listed company should establish an audit committee of non-executive directors to be responsible for oversight of the audit. That aspect of the oversight function may therefore be allocated to the members of such a committee without involving the chief executive. Such individuals may require approval by the FSAin relation to that function (see Question 1). |
15 | What about incoming electronic commerce activities? | ECO 1.1.6 R has the effect that SYSC does not apply to an incoming ECA provider acting as such. |
SYSC 2.2
Recording the apportionment
- 01/12/2004
SYSC 2.2.1
See Notes
- (1) A firm must make a record of the arrangements it has made to satisfy SYSC 2.1.1 R (apportionment) and SYSC 2.1.3 R (allocation) and take reasonable care to keep this up to date.
- (2) This record must be retained for six years from the date on which it was superseded by a more up-to-date record.
SYSC 2.2.2
See Notes
- (1) A firm will be able to comply with SYSC 2.2.1 R by means of records which it keeps for its own purposes provided these records satisfy the requirements of SYSC 2.2.1 R and provided the firm takes reasonable care to keep them up to date. Appropriate records might, for this purpose, include organisational charts and diagrams, project management documents, job descriptions, committee constitutions and terms of reference provided they show a clear description of the firm's major functions.
- (2) Firms should record any material change to the arrangements described in SYSC 2.2.1 R as soon as reasonably practicable after that change has been made.
SYSC 2.2.3
See Notes
SYSC 3
Systems and Controls
SYSC 3.1
Systems and Controls
- 01/12/2004
SYSC 3.1.1
See Notes
SYSC 3.1.1A
See Notes
- 01/01/2007
SYSC 3.1.2
See Notes
- (1) The nature and extent of the systems and controls which a firm will need to maintain under SYSC 3.1.1 R will depend upon a variety of factors including:
- (a) the nature, scale and complexity of its business;
- (b) the diversity of its operations, including geographical diversity;
- (c) the volume and size of its transactions; and
- (d) the degree of risk associated with each area of its operation.
- (2) To enable it to comply with its obligation to maintain appropriate systems and controls, a firm should carry out a regular review of them.
- (3) The areas typically covered by the systems and controls referred to in SYSC 3.1.1 R are those identified in SYSC 3.2. Detailed requirements regarding systems and controls relevant to particular business areas or particular types of firm are covered elsewhere in the Handbook.
SYSC 3.1.3
See Notes
SYSC 3.1.4
See Notes
SYSC 3.1.5
See Notes
SYSC 3.2
Areas covered by systems and controls
- 01/12/2004
Introduction
SYSC 3.2.1
See Notes
Organisation
SYSC 3.2.2
See Notes
SYSC 3.2.3
See Notes
- (1) A firm's governing body is likely to delegate many functions and tasks for the purpose of carrying out its business. When functions or tasks are delegated, either to employees or to appointed representatives, appropriate safeguards should be put in place.
- (2) When there is delegation, a firm should assess whether the recipient is suitable to carry out the delegated function or task, taking into account the degree of responsibility involved.
- (3) The extent and limits of any delegation should be made clear to those concerned.
- (4) There should be arrangements to supervise delegation, and to monitor the discharge of delegates functions or tasks.
- (5) If cause for concern arises through supervision and monitoring or otherwise, there should be appropriate follow-up action at an appropriate level of seniority within the firm.
SYSC 3.2.4
See Notes
- (1) The guidance relevant to delegation within the firm is also relevant to external delegation ('outsourcing'). A firm cannot contract out its regulatory obligations. So, for example, under Principle 3 a firm should take reasonable care to supervise the discharge of outsourced functions by its contractor.
- (2) A firm should take steps to obtain sufficient information from its contractor to enable it to assess the impact of outsourcing on its systems and controls.
SYSC 3.2.5
See Notes
SYSC 3.2.5A
See Notes
- 01/01/2007
SYSC 3.2.5B
See Notes
- 01/01/2007
Systems and controls in relation to compliance, financial crime and money laundering
SYSC 3.2.6
See Notes
- 01/12/2001
SYSC 3.2.6A
See Notes
A firm must ensure that these systems and controls:
- (1) enable it to identify, assess, monitor and manage money laundering risk; and
- (2) are comprehensive and proportionate to the nature, scale and complexity of its activities.
- 01/03/2006
SYSC 3.2.6B
See Notes
- 01/03/2006
SYSC 3.2.6C
See Notes
- 01/03/2006
SYSC 3.2.6D
See Notes
SYSC 3.2.6E
See Notes
- 01/03/2006
SYSC 3.2.6F
See Notes
In identifying its money laundering risk and in establishing the nature of these systems and controls, a firm should consider a range of factors, including:
- (1) its customer, product and activity profiles;
- (2) its distribution channels;
- (3) the complexity and volume of its transactions;
- (4) its processes and systems; and
- (5) its operating environment.
- 01/03/2006
SYSC 3.2.6G
See Notes
A firm should ensure that the systems and controls include:
- (1) appropriate training for its employees in relation to money laundering;
- (2) appropriate provision of information to its governing body and senior management, including a report at least annually by that firm's money laundering reporting officer (MLRO) on the operation and effectiveness of those systems and controls;
- (3) appropriate documentation of its risk management policies and risk profile in relation to money laundering, including documentation of its application of those policies (see SYSC 3.2.20 R to SYSC 3.2.22 G);
- (4) appropriate measures to ensure that money laundering risk is taken into account in its day-to-day operation, including in relation to:
- (a) the development of new products;
- (b) the taking-on of new customers; and
- (c) changes in its business profile; and
- (5) appropriate measures to ensure that procedures for identification of new customers do not unreasonably deny access to its services to potential customers who cannot reasonably be expected to produce detailed evidence of identity.
- 01/03/2006
SYSC 3.2.6H
See Notes
- 01/03/2006
The money laundering reporting officer
SYSC 3.2.6I
See Notes
A firm must:
- (1) appoint an individual as MLRO, with responsibility for oversight of its compliance with the FSA's rules on systems and controls against money laundering; and
- (2) ensure that its MLRO has a level of authority and independence within the firm and access to resources and information sufficient to enable him to carry out that responsibility.
- 01/03/2006
SYSC 3.2.6J
See Notes
- 01/03/2006
The compliance function
SYSC 3.2.7
See Notes
- (1) Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to have a separate compliance function. The organisation and responsibilities of a compliance function should be documented. A compliance function should be staffed by an appropriate number of competent staff who are sufficiently independent to perform their duties objectively. It should be adequately resourced and should have unrestricted access to the firm's relevant records as well as ultimate recourse to its governing body.
- (2) [deleted]
- (3) [deleted]
SYSC 3.2.8
See Notes
- (1) A firm which carries on designated investment business with or for customers must allocate to a director or senior manager the function of:
- (a) having responsibility for oversight of the firm's compliance; and
- (b) reporting to the governing body in respect of that responsibility.
- (2) In SYSC 3.2.8 R (1) (1) "compliance" means compliance with the rules in:
SYSC 3.2.9
See Notes
- (1) SUP 10.7.8 R uses SYSC 3.2.8 R to describe the controlled function, known as the compliance oversight function, of acting in the capacity of a director or senior manager to whom this function is allocated.
- (2) The rules referred to in SYSC 3.2.8 R (2) are the minimum area of focus for the firm's compliance oversight function. A firm is free to give additional responsibilities to a person performing this function if it wishes.
- 01/12/2001
Risk assessment
SYSC 3.2.10
See Notes
- (1) Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to have a separate risk assessment function responsible for assessing the risks that the firm faces and advising the governing body and senior managers on them.
- (2) The organisation and responsibilities of a risk assessment function should be documented. The function should be adequately resourced and staffed by an appropriate number of competent staff who are sufficiently independent to perform their duties objectively.
- (3) The term 'risk assessment function' refers to the generally understood concept of risk assessment within a firm, that is, the function of setting and controlling risk exposure. The risk assessment function is not a controlled function itself, but is part of the systems and controls function (CF28).
Management information
SYSC 3.2.11
See Notes
- (1) A firm's arrangements should be such as to furnish its governing body with the information it needs to play its part in identifying, measuring, managing and controlling risks of regulatory concern. Three factors will be the relevance, reliability and timeliness of that information.
- (2) Risks of regulatory concern are those risks which relate to the fair treatment of the firm's customers, to the protection of consumers, to confidence in the financial system, and to the use of that system in connection with financial crime.
SYSC 3.2.12
See Notes
Employees and agents
SYSC 3.2.13
See Notes
SYSC 3.2.14
See Notes
- (1) SYSC 3.2.13 G includes assessing an individual's honesty, and competence. This assessment should normally be made at the point of recruitment. An individual's honesty need not normally be revisited unless something happens to make a fresh look appropriate.
- (2) Any assessment of an individual's suitability should take into account the level of responsibility that the individual will assume within the firm. The nature of this assessment will generally differ depending upon whether it takes place at the start of the individual's recruitment, at the end of the probationary period (if there is one) or subsequently.
- (3) The FSA's detailed requirements on firms with respect to the competence of individuals are in the Training and Competence sourcebook (TC).[deleted]
- (4) The requirements on firms with respect to approved persons are in Part V of the Act (Performance of regulated activities) and SUP 10.
Audit committee
SYSC 3.2.15
See Notes
Internal audit
SYSC 3.2.16
See Notes
Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to delegate much of the task of monitoring the appropriateness and effectiveness of its systems and controls to an internal audit function. An internal audit function should have clear responsibilities and reporting lines to an audit committee or appropriate senior manager, be adequately resourced and staffed by competent individuals, be independent of the day-to-day activities of the firm and have appropriate access to a firm's records.
- (1) Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to delegate much of the task of monitoring the appropriateness and effectiveness of its systems and controls to an internal audit function. An internal audit function should have clear responsibilities and reporting lines to an audit committee or appropriate senior manager, be adequately resourced and staffed by competent individuals, be independent of the day-to-day activities of the firm and have appropriate access to a firm's records.
- (2) The term 'internal audit function' refers to the generally understood concept of internal audit within a firm, that is, the function of assessing adherence to and the effectiveness of internal systems and controls, procedures and policies. The internal audit function is not a controlled function itself, but is part of the systems and controls function (CF28).
Business strategy
SYSC 3.2.17
See Notes
A firm should plan its business appropriately so that it is able to identify, measure, manage and control risks of regulatory concern (see SYSC 3.2.11 G (2)). In some firms, depending on the nature, scale and complexity of their business, it may be appropriate to have business plans or strategy plans documented and updated on a regular basis to take account of changes in the business environment.
Remuneration policies
SYSC 3.2.18
See Notes
It is possible that firms' remuneration policies will from time to time lead to tensions between the ability of the firm to meet the requirements and standards under the regulatory system and the personal advantage of those who act for it. Where tensions exist, these should be appropriately managed.
Business continuity
SYSC 3.2.19
See Notes
A firm should have in place appropriate arrangements, having regard to the nature, scale and complexity of its business, to ensure that it can continue to function and meet its regulatory obligations in the event of an unforeseen interruption. These arrangements should be regularly updated and tested to ensure their effectiveness.
Records
SYSC 3.2.20
See Notes
- (1) A firm must take reasonable care to make and retain adequate records of matters and dealings (including accounting records) which are the subject of requirements and standards under the regulatory system.
- (2) Subject to (3) and to any other record-keeping rule in the Handbook, the records required by (1) or by such other rule must be capable of being reproduced in the English language on paper.
- (3) If a firm's records relate to business carried on from an establishment in a country or territory outside the United Kingdom, an official language of that country or territory may be used instead of the English language as required by (2).
SYSC 3.2.21
See Notes
A firm should have appropriate systems and controls in place to fulfil the firm's regulatory and statutory obligations with respect to adequacy, access, periods of retention and security of records. The general principle is that records should be retained for as long as is relevant for the purposes for which they are made.
SYSC 3.2.22
See Notes
CRD Requirements: (1) General organisation requirements
SYSC 3.2.23
See Notes
A BIPRU firm must have robust governance arrangements, which include a clear organisational structure with well defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks it is or might be exposed to, and adequate internal control mechanisms, including sound administrative and accounting procedures.
[Note: article 22(1) of the Banking Consolidation Directive]
- 01/01/2007
SYSC 3.2.24
See Notes
The arrangements, processes and mechanisms referred to in SYSC 3.2.23 R must be comprehensive and proportionate to the nature, scale and complexity of the BIPRU firm's activities. The technical criteria laid down in BIPRU 2.3.7 R (1), BIPRU 9.1.6 R, BIPRU 9.13.21 R (Liquidity plans), BIPRU 10.12.3 R (Concentration risk policies), SYSC 3.2.26 R and SYSC 3.2.28 R to SYSC 3.2.36 R must be taken into account.
[Note: article 22(2) of the Banking Consolidation Directive]
- 01/01/2007
SYSC 3.2.25
See Notes
A BIPRU firm must ensure that its internal control mechanisms and administrative and accounting procedures permit the verification of its compliance with rules adopted in accordance with the Capital Adequacy Directive at all times.
[Note: article 35(1) second sentence of the Capital Adequacy Directive]
- 01/01/2007
SYSC 3.2.26
See Notes
A BIPRU firm must have contingency and business continuity plans in place aimed at ensuring its ability to operate on an ongoing basis and limit losses in the event of severe business disruption.
[Note: annex V paragraph 13 of the Banking Consolidation Directive]
- 01/01/2007
SYSC 3.2.27
See Notes
A credit institution must have at least two persons who effectively direct the business of the firm. These persons must be of sufficiently good repute and have sufficient experience to perform their duties.
[Note: article 11(1) of the Banking Consolidation Directive]
- 01/01/2007
CRD Requirements: (2) Employees, agents and other relevant persons
SYSC 3.2.28
See Notes
The governing body of a BIPRU firm must define arrangements concerning the segregation of duties in the organisation and the prevention of conflicts of interest.
[Note: annex V paragraph 1 of the Banking Consolidation Directive]
- 01/01/2007
CRD Requirements: (3) Risk control
SYSC 3.2.29
See Notes
The governing body of a BIPRU firm must approve and periodically review the strategies and policies for taking up, managing, monitoring and mitigating the risks the firm is or might be exposed to, including those posed by the macroeconomic environment in which it operates in relation to the status of the business cycle.
[Note: annex V paragraph 2 of the Banking Consolidation Directive]
- 01/01/2007
SYSC 3.2.30
See Notes
A BIPRU firm must base credit-granting on sound and well-defined criteria and clearly establish the process for approving, amending, renewing, and re-financing credits.
[Note: annex V paragraph 3 of the Banking Consolidation Directive]
- 01/01/2007
SYSC 3.2.31
See Notes
A BIPRU firm must operate through effective systems the ongoing administration and monitoring of its various credit risk-bearing portfolios and exposures, including for identifying and managing problem credits and for making adequate value adjustments and provisions.
[Note: annex V paragraph 4 of the Banking Consolidation Directive]
- 01/01/2007
SYSC 3.2.32
See Notes
A BIPRU firm must adequately diversify credit portfolios given its target markets and overall credit strategy.
[Note: annex V paragraph 5 of the Banking Consolidation Directive]
- 01/01/2007
SYSC 3.2.33
See Notes
A BIPRU firm must address and control by means of written policies and procedures the risk that recognised credit risk mitigation techniques used by it prove less effective than expected.
[Note: annex V paragraph 6 of the Banking Consolidation Directive]
- 01/01/2007
SYSC 3.2.34
See Notes
A BIPRU firm must implement policies and processes for the measurement and management of all material sources and effects of market risks.
[Note: annex V paragraph 10 of the Banking Consolidation Directive]
- 01/01/2007
SYSC 3.2.35
See Notes
A BIPRU firm must implement systems to evaluate and manage the risk arising from potential changes in interest rates as they affect a BIPRU firm's non-trading activities.
[Note: annex V paragraph 11 of the Banking Consolidation Directive]
- 01/01/2007
SYSC 3.2.36
See Notes
A BIPRU firm must implement policies and processes to evaluate and manage the exposure to operational risk, including to low-frequency high severity events. Without prejudice to the definition of operational risk, BIPRU firms must articulate what constitutes operational risk for the purposes of those policies and procedures.
[Note: annex V paragraph 12 of the Banking Consolidation Directive]
- 01/01/2007
SYSC 3A
Operational Risk: Systems and Controls
SYSC 3A.1
Application
- 31/12/2004
SYSC 3A.1.1
See Notes
SYSC 3A applies to an insurer unless it is:
- (1) a non-directive friendly society; or
- (2) an incoming EEA firm; or
- (3) an incoming Treaty firm.
- 31/12/2004
SYSC 3A.1.2
See Notes
SYSC 3A applies to:
- (1) an EEA-deposit insurer; and
- (2) a Swiss general insurer;
only in respect of the activities of the firm carried on from a branch in the United Kingdom.
- 31/12/2004
SYSC 3A.2
Purpose
- 31/12/2004
SYSC 3A.2.1
See Notes
This chapter provides guidance on how to interpret SYSC 3.1.1 R and SYSC 3.2.6 R, which deal with the establishment and maintenance of systems and controls, in relation to the management of operational risk. Operational risk has been described by the Basel Committee on Banking Supervision as "the risk of loss, resulting from inadequate or failed internal processes, people and systems, or from external events". This chapter covers systems and controls for managing risks concerning any of a firm's operations, such as its IT systems and outsourcing arrangements. It does not cover systems and controls for managing credit, market, liquidity and insurance risk.
- 31/12/2004
SYSC 3A.2.2
See Notes
Operational risk is a concept that can have a different application for different firms. A firm should assess the appropriateness of the guidance in this chapter in the light of the scale, nature and complexity of its activities as well as its obligations as set out in Principle 3, to organise and control its affairs responsibly and effectively.
- 31/12/2004
SYSC 3A.2.3
See Notes
A firm should take steps to understand the types of operational risk that are relevant to its particular circumstances, and the operational losses to which they expose the firm. This should include considering the potential sources of operational risk addressed in this chapter: people; processes and systems; external events.
- 31/12/2004
SYSC 3A.2.4
See Notes
- 31/12/2004
SYSC 3A.3
Other related Handbook sections
- 31/12/2004
SYSC 3A.3.1
See Notes
The following is a non-exhaustive list of rules and guidance in the Handbook that are relevant to a firm's management of operational risk:
- (1) PRU 1.4 and PRU 6.1 contain specific rules and guidance for the establishment and maintenance of operational risk systems and controls in a prudential context.
- (2) COB contains rules and guidance that can relate to the management of operational risk, for example, COB 2 (Rules which apply to all firms conducting designated investment business), COB 3 (Financial promotion), COB 5 (Advising and selling) and COB 7 (Dealing and managing).
- 31/12/2004
SYSC 3A.4
Requirements to notify the FSA
- 31/12/2004
SYSC 3A.4.1
See Notes
Under Principle 11 and SUP 15.3.1 R a firm must notify the FSA immediately of any operational risk matter of which the FSA would reasonably expect notice. SUP 15.3.8 G provides guidance on the occurrences that this requirement covers, which include a significant failure in systems and controls and a significant operational loss.
- 31/12/2004
SYSC 3A.4.2
See Notes
- 31/12/2004
SYSC 3A.5
Risk management terms
- 31/12/2004
SYSC 3A.5.1
See Notes
In this chapter, the following interpretations of risk management terms apply:
- (1) a firm's risk culture encompasses the general awareness, attitude and behaviour of its employees and appointed representatives to risk and the management of risk within the organisation;
- (2) operational exposure means the degree of operational risk faced by a firm and is usually expressed in terms of the likelihood and impact of a particular type of operational loss occurring (for example, fraud, damage to physical assets);
- (3) a firm's operational risk profile describes the types of operational risks that it faces, including those operational risks within a firm that may have an adverse impact upon the quality of service afforded to its clients, and its exposure to these risks.
- 31/12/2004
SYSC 3A.6
People
- 31/12/2004
SYSC 3A.6.1
See Notes
A firm should consult SYSC 3.2.2 G to SYSC 3.2.5 G for guidance on reporting lines and delegation of functions within a firm and SYSC 3.2.13 G to SYSC 3.2.14 G for guidance on the suitability of employees and appointed representatives. This section provides additional guidance on management of employees and other human resources in the context of operational risk.
- 31/12/2004
SYSC 3A.6.2
See Notes
A firm should establish and maintain appropriate systems and controls for the management of operational risks that can arise from employees. In doing so, a firm should have regard to:
- (1) its operational risk culture, and any variations in this or its human resource management practices, across its operations (including, for example, the extent to which the compliance culture is extended to in-house IT staff);
- (2) whether the way employees are remunerated exposes the firm to the risk that it will not be able to meet its regulatory obligations (see SYSC 3.2.18 G). For example, a firm should consider how well remuneration and performance indicators reflect the firm's tolerance for operational risk, and the adequacy of these indicators for measuring performance;
- (3) whether inadequate or inappropriate training of client-facing services exposes clients to risk of loss or unfair treatment including by not enabling effective communication with the firm;
- (4) the extent of its compliance with applicable regulatory and other requirements that relate to the welfare and conduct of employees;
- (5) its arrangements for the continuity of operations in the event of employee unavailability or loss;
- (6) the relationship between indicators of 'people risk' (such as overtime, sickness, and employee turnover levels) and exposure to operational losses; and
- (7) the relevance of all the above to employees of a third party supplier who are involved in performing an outsourcing arrangement. As necessary, a firm should review and consider the adequacy of the staffing arrangements and policies of a service provider.
- 31/12/2004
Employee Responsibilities
SYSC 3A.6.3
See Notes
A firm should ensure that all employees are capable of performing, and aware of, their operational risk management responsibilities, including by establishing and maintaining:
- (1) appropriate segregation of employees' duties and appropriate supervision of employees in the performance of their responsibilities (see SYSC 3.2.5 G);
- (2) appropriate recruitment and subsequent processes to review the fitness and propriety of employees (see SYSC 3.2.13 G and SYSC 3.2.14 G);
- (3) clear policy statements and appropriate systems and procedures manuals that are effectively communicated to employees and available for employees to refer to as required. These should cover, for example, compliance, IT security and health and safety issues;
- (4) training processes that enable employees to attain and maintain appropriate competence; and
- (5) appropriate and properly enforced disciplinary and employment termination policies and procedures.
- 31/12/2004
SYSC 3A.6.4
See Notes
A firm should have regard to SYSC 3A.6.3 G in relation to approved persons, people occupying positions of high personal trust (for example, security administration, payment and settlement functions); and people occupying positions requiring significant technical competence (for example, derivatives trading and technical security administration). A firm should also consider the rules and guidance for approved persons in other parts of the Handbook (including APER and SUP) and the rules and guidance on senior manager responsibilities in SYSC 2.1 (Apportionment of Responsibilities).
- 31/12/2004
SYSC 3A.7
Processes and systems
- 31/12/2004
SYSC 3A.7.1
See Notes
A firm should establish and maintain appropriate systems and controls for managing operational risks that can arise from inadequacies or failures in its processes and systems (and, as appropriate, the systems and processes of third party suppliers, agents and others). In doing so a firm should have regard to:
- (1) the importance and complexity of processes and systems used in the end-to-end operating cycle for products and activities (for example, the level of integration of systems);
- (2) controls that will help it to prevent system and process failures or identify them to permit prompt rectification (including pre-approval or reconciliation processes);
- (3) whether the design and use of its processes and systems allow it to comply adequately with regulatory and other requirements;
- (4) its arrangements for the continuity of operations in the event that a significant process or system becomes unavailable or is destroyed; and
- (5) the importance of monitoring indicators of process or system risk (including reconciliation exceptions, compensation payments for client losses and documentation errors) and experience of operational losses and exposures.
- 31/12/2004
Internal documentation
SYSC 3A.7.2
See Notes
Internal documentation may enhance understanding and aid continuity of operations, so a firm should ensure the adequacy of its internal documentation of processes and systems (including how documentation is developed, maintained and distributed) in managing operational risk.
- 31/12/2004
External documentation
SYSC 3A.7.3
See Notes
A firm may use external documentation (including contracts, transaction statements or advertising brochures) to define or clarify terms and conditions for its products or activities, its business strategy (for example, including through press statements), or its brand. Inappropriate or inaccurate information in external documents can lead to significant operational exposure.
- 31/12/2004
SYSC 3A.7.4
See Notes
A firm should ensure the adequacy of its processes and systems to review external documentation prior to issue (including review by its compliance, legal and marketing departments or by appropriately qualified external advisers). In doing so a firm should have regard to:
- (1) compliance with applicable regulatory and other requirements (such as COB 3 (Financial promotion));
- (2) the extent to which its documentation uses standard terms (that are widely recognised, and have been tested in the courts) or non-standard terms (whose meaning may not yet be settled or whose effectiveness may be uncertain);
- (3) the manner in which its documentation is issued; and
- (4) the extent to which confirmation of acceptance is required (including by customer signature or counterparty confirmation).
- 31/12/2004
IT systems
SYSC 3A.7.5
See Notes
IT systems include the computer systems and infrastructure required for the automation of processes, such as application and operating system software; network infrastructure; and desktop, server, and mainframe hardware. Automation may reduce a firm's exposure to some 'people risks' (including by reducing human errors or controlling access rights to enable segregation of duties), but will increase its dependency on the reliability of its IT systems.
- 31/12/2004
SYSC 3A.7.6
See Notes
A firm should establish and maintain appropriate systems and controls for the management of its IT system risks, having regard to:
- (1) its organisation and reporting structure for technology operations (including the adequacy of senior management oversight);
- (2) the extent to which technology requirements are addressed in its business strategy;
- (3) the appropriateness of its systems acquisition, development and maintenance activities (including the allocation of responsibilities between IT development and operational areas, processes for embedding security requirements into systems); and
- (4) the appropriateness of its activities supporting the operation of IT systems (including the allocation of responsibilities between business and technology areas).
- 31/12/2004
Information security
SYSC 3A.7.7
See Notes
Failures in processing information (whether physical, electronic or known by employees but not recorded) or of the security of the systems that maintain it can lead to significant operational losses. A firm should establish and maintain appropriate systems and controls to manage its information security risks. In doing so a firm should have regard to:
- (1) confidentiality: information should be accessible only to persons or systems with appropriate authority, which may require firewalls within a system, as well as entry restrictions;
- (2) integrity: safeguarding the accuracy and completeness of information and its processing;
- (3) availability and authentication: ensuring that appropriately authorised persons or systems have access to the information when required and that their identity is verified;
- (4) non-repudiation and accountability: ensuring that the person or system that processed the information cannot deny their actions.
- 31/12/2004
SYSC 3A.7.8
See Notes
A firm should ensure the adequacy of the systems and controls used to protect the processing and security of its information, and should have regard to established security standards such as ISO17799 (Information Security Management).
- 31/12/2004
Geographic location
SYSC 3A.7.9
See Notes
Operating processes and systems at separate geographic locations may alter a firm's operational risk profile (including by allowing alternative sites for the continuity of operations). A firm should understand the effect of any differences in processes and systems at each of its locations, particularly if they are in different countries, having regard to:
- (1) the business operating environment of each country (for example, the likelihood and impact of political disruptions or cultural differences on the provision of services);
- (2) relevant local regulatory and other requirements regarding data protection and transfer;
- (3) the extent to which local regulatory and other requirements may restrict its ability to meet regulatory obligations in the United Kingdom (for example, access to information by the FSA and local restrictions on internal or external audit); and
- (4) the timeliness of information flows to and from its headquarters and whether the level of delegated authority and the risk management structures of the overseas operation are compatible with the firm's head office arrangements.
- 31/12/2004
SYSC 3A.8
External events and other changes
- 31/12/2004
SYSC 3A.8.1
See Notes
The exposure of a firm to operational risk may increase during times of significant change to its organisation, infrastructure and business operating environment (for example, following a corporate restructure or changes in regulatory requirements). Before, during, and after expected changes, a firm should assess and monitor their effect on its risk profile, including with regard to:
- (1) untrained or de-motivated employees or a significant loss of employees during the period of change, or subsequently;
- (2) inadequate human resources or inexperienced employees carrying out routine business activities owing to the prioritisation of resources to the programme or project;
- (3) process or system instability and poor management information due to failures in integration or increased demand; and
- (4) inadequate or inappropriate processes following business re-engineering.
- 31/12/2004
SYSC 3A.8.2
See Notes
A firm should establish and maintain appropriate systems and controls for the management of the risks involved in expected changes, such as by ensuring:
- (1) the adequacy of its organisation and reporting structure for managing the change (including the adequacy of senior management oversight);
- (2) the adequacy of the management processes and systems for managing the change (including planning, approval, implementation and review processes); and
- (3) the adequacy of its strategy for communicating changes in systems and controls to its employees.
- 31/12/2004
Unexpected changes and business continuity management
SYSC 3A.8.3
See Notes
SYSC 3.2.19 G provides high level guidance on business continuity. This section provides additional guidance on managing business continuity in the context of operational risk.
- 31/12/2004
SYSC 3A.8.4
See Notes
The high level requirement for appropriate systems and controls at SYSC 3.1.1 R applies at all times, including when a business continuity plan is invoked. However, the FSA recognises that, in an emergency, a firm may be unable to comply with a particular rule and the conditions for relief are outlined in GEN 1.3 (Emergency).
- 31/12/2004
SYSC 3A.8.5
See Notes
A firm should consider the likelihood and impact of a disruption to the continuity of its operations from unexpected events. This should include assessing the disruptions to which it is particularly susceptible (and the likely timescale of those disruptions) including through:
- (1) loss or failure of internal and external resources (such as people, systems and other assets);
- (2) the loss or corruption of its information; and
- (3) external events (such as vandalism, war and "acts of God").
- 31/12/2004
SYSC 3A.8.6
See Notes
A firm should implement appropriate arrangements to maintain the continuity of its operations. A firm should act to reduce both the likelihood of a disruption (including by succession planning, systems resilience and dual processing); and the impact of a disruption (including by contingency arrangements and insurance).
- 31/12/2004
SYSC 3A.8.7
See Notes
A firm should document its strategy for maintaining continuity of its operations, and its plans for communicating and regularly testing the adequacy and effectiveness of this strategy. A firm should establish:
- (1) formal business continuity plans that outline arrangements to reduce the impact of a short, medium or long-term disruption, including:
- (a) resource requirements such as people, systems and other assets, and arrangements for obtaining these resources;
- (b) the recovery priorities for the firm's operations; and
- (c) communication arrangements for internal and external concerned parties (including the FSA, clients and the press);
- (2) escalation and invocation plans that outline the processes for implementing the business continuity plans, together with relevant contact information;
- (3) processes to validate the integrity of information affected by the disruption;
- (4) processes to review and update (1) to (3) following changes to the firm's operations or risk profile (including changes identified through testing).
- 31/12/2004
SYSC 3A.8.8
See Notes
The use of an alternative site for recovery of operations is common practice in business continuity management. A firm that uses an alternative site should assess the appropriateness of the site, particularly for location, speed of recovery and adequacy of resources. Where a site is shared, a firm should evaluate the risk of multiple calls on shared resources and adjust its plans accordingly.
- 31/12/2004
SYSC 3A.9
Outsourcing
- 31/12/2004
SYSC 3A.9.1
See Notes
As SYSC 3.2.4 G explains, a firm cannot contract out its regulatory obligations and should take reasonable care to supervise the discharge of outsourcing functions. This section provides additional guidance on managing outsourcing arrangements (and will be relevant, to some extent, to other forms of third party dependency) in relation to operational risk. Outsourcing may affect a firm's exposure to operational risk through significant changes to, and reduced control over, people, processes and systems used in outsourced activities.
- 31/12/2004
SYSC 3A.9.2
See Notes
Firms should take particular care to manage material outsourcing arrangements and, as SUP 15.3.8 G (1)(e) explains, a firm should notify the FSA when it intends to enter into a material outsourcing arrangement.
- 31/12/2004
SYSC 3A.9.3
See Notes
A firm should not assume that because a service provider is either a regulated firm or an intra-group entity an outsourcing arrangement with that provider will, in itself, necessarily imply a reduction in operational risk.
- 31/12/2004
SYSC 3A.9.4
See Notes
Before entering into, or significantly changing, an outsourcing arrangement, a firm should:
- (1) analyse how the arrangement will fit with its organisation and reporting structure; business strategy; overall risk profile; and ability to meet its regulatory obligations;
- (2) consider whether the agreements establishing the arrangement will allow it to monitor and control its operational risk exposure relating to the outsourcing;
- (3) conduct appropriate due diligence of the service provider's financial stability and expertise;
- (4) consider how it will ensure a smooth transition of its operations from its current arrangements to a new or changed outsourcing arrangement (including what will happen on the termination of the contract); and
- (5) consider any concentration risk implications such as the business continuity implications that may arise if a single service provider is used by several firms.
- 31/12/2004
SYSC 3A.9.5
See Notes
In negotiating its contract with a service provider, a firm should have regard to:
- (1) reporting or notification requirements it may wish to impose on the service provider;
- (2) whether sufficient access will be available to its internal auditors, external auditors or actuaries (see section 341 of the Act) and to the FSA (see SUP 2.3.5 R (Access to premises) and SUP 2.3.7 R (Suppliers under material outsourcing arrangements);
- (3) information ownership rights, confidentiality agreements and Chinese walls to protect client and other information (including arrangements at the termination of the contract);
- (4) the adequacy of any guarantees and indemnities;
- (5) the extent to which the service provider must comply with the firm's policies and procedures (covering, for example, information security);
- (6) the extent to which a service provider will provide business continuity for outsourcing operations, and whether exclusive access to its resources is agreed;
- (7) the need for continued availability of software following difficulty at a third party supplier;
- (8) the processes for making changes to the outsourcing arrangement (for example, changes in processing volumes, activities and other contractual terms) and the conditions under which the firm or service provider can choose to change or terminate the outsourcing arrangement, such as where there is:
- (a) a change of ownership or control (including insolvency or receivership) of the service provider or firm;
- (b) significant change in the business operations (including sub-contracting) of the service provider or firm; or
- (c) inadequate provision of services that may lead to the firm being unable to meet its regulatory obligations.
- 31/12/2004
SYSC 3A.9.6
See Notes
In implementing a relationship management framework, and drafting the service level agreement with the service provider, a firm should have regard to:
- (1) the identification of qualitative and quantitative performance targets to assess the adequacy of service provision, to both the firm and its clients, where appropriate;
- (2) the evaluation of performance through service delivery reports and periodic self certification or independent review by internal or external auditors; and
- (3) remedial action and escalation processes for dealing with inadequate performance.
- 31/12/2004
SYSC 3A.9.7
See Notes
In some circumstances, a firm may find it beneficial to use externally validated reports commissioned by the service provider, to seek comfort as to the adequacy and effectiveness of its systems and controls. The use of such reports does not absolve the firm of responsibility to maintain other oversight. In addition, the firm should not normally have to forfeit its right to access, for itself or its agents, to the service provider's premises.
- 31/12/2004
SYSC 3A.9.8
See Notes
A firm should ensure that it has appropriate contingency arrangements to allow business continuity in the event of a significant loss of services from the service provider. Particular issues to consider include a significant loss of resources at, or financial failure of, the service provider, and unexpected termination of the outsourcing arrangement.
- 31/12/2004
SYSC 3A.10
Insurance
- 31/12/2004
SYSC 3A.10.1
See Notes
- 01/12/2001
SYSC 3A.10.2
See Notes
When considering utilising insurance, a firm should consider:
- (1) the time taken for the insurer to pay claims (including the potential time taken in disputing cover) and the firm's funding of operations whilst awaiting payment of claims;
- (2) the financial strength of the insurer, which may determine its ability to pay claims, particularly where large or numerous small claims are made at the same time; and
- (3) the effect of any limiting conditions and exclusion clauses that may restrict cover to a small number of specific operational losses and may exclude larger or hard to quantify indirect losses (such as lost business or reputational costs).
- 01/12/2001
SYSC 4
General organisational requirements [Note: Not mandatory for a common platform firm until 01/11/07. See SYSC TP1]
SYSC 4.1
General requirements
- 01/01/2007
- Past version of SYSC 4.1 before 01/01/2007
SYSC 4.1.1
See Notes
A common platform firm must have robust governance arrangements, which include a clear organisational structure with well defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks it is or might be exposed to, and internal control mechanisms, including sound administrative and accounting procedures and effective control and safeguard arrangements for information processing systems.
[Note: article 22(1) of the Banking Consolidation Directive, article 13(5) second paragraph of MiFID]
SYSC 4.1.2
See Notes
The arrangements, processes and mechanisms referred to in SYSC 4.1.1 R must be comprehensive and proportionate to the nature, scale and complexity of the common platform firm's activities and must take into account the specific technical criteria described in SYSC 4.1.7 R, SYSC 5.1.7 R and SYSC 7 .
[Note: article 22(2) of the Banking Consolidation Directive]
SYSC 4.1.3
See Notes
A BIPRU firm must ensure that its internal control mechanisms and administrative and accounting procedures permit the verification of its compliance with rules adopted in accordance with the Capital Adequacy Directive at all times.
[Note: article 35(1) final sentence of the Capital Adequacy Directive]
SYSC 4.1.4
See Notes
A common platform firm must, taking into account the nature, scale and complexity of the business of the firm, and the nature and range of the investment services and activities undertaken in the course of that business:
- (1) establish, implement and maintain decision-making procedures and an organisational structure which clearly and in a documented manner specifies reporting lines and allocates functions and responsibilities;
- (2) establish, implement and maintain adequate internal control mechanisms designed to secure compliance with decisions and procedures at all levels of the firm; and
- (3) establish, implement and maintain effective internal reporting and communication of information at all relevant levels of the firm.
[Note: articles 5(1) final paragraph, 5(1)(a), 5(1)(c) and 5(1)(e) of the MiFID implementing Directive]
SYSC 4.1.5
See Notes
A MiFID investment firm must establish, implement and maintain systems and procedures that are adequate to safeguard the security, integrity and confidentiality of information, taking into account the nature of the information in question.
[Note: article 5(2) of the MiFID implementing Directive]
Business continuity
SYSC 4.1.6
See Notes
A common platform firm must take reasonable steps to ensure continuity and regularity in the performance of its regulated activities. To this end the firm must employ appropriate and proportionate systems, resources and procedures.
[Note: article 13(4) of MiFID]
SYSC 4.1.7
See Notes
A common platform firm must establish, implement and maintain an adequate business continuity policy aimed at ensuring, in the case of an interruption to its systems and procedures, that any losses are limited, the preservation of essential data and functions, and the maintenance of its regulated activities, or, where that is not possible, the timely recovery of such data and functions and the timely resumption of its regulated activities.
[Note: article 5(3) of the MiFID implementing Directive and annex V paragraph 13 of the Banking Consolidation Directive]
SYSC 4.1.8
See Notes
The matters dealt with in a business continuity policy should include:
- (1) resource requirements such as people, systems and other assets, and arrangements for obtaining these resources;
- (2) the recovery priorities for the firm's operations;
- (3) communication arrangements for internal and external concerned parties (including the FSA , clients and the press);
- (4) escalation and invocation plans that outline the processes for implementing the business continuity plans, together with relevant contact information;
- (5) processes to validate the integrity of information affected by the disruption; and
- (6) regular testing of the business continuity policy in an appropriate and proportionate manner in accordance with SYSC 4.1.10 R.
SYSC 4.1.8A
See Notes
An operator of an electronic system in relation to lending must take reasonable steps to ensure that arrangements are in place to ensure that P2P agreements facilitated by it will continue to be managed and administered, in accordance with the contract terms, if at any time it ceases to carry on the activity of operating an electronic system in relation to lending
- 01/05/2002
Accounting policies
SYSC 4.1.9
See Notes
A common platform firm must establish, implement and maintain accounting policies and procedures that enable it, at the request of the FSA, to deliver in a timely manner to the FSA financial reports which reflect a true and fair view of its financial position and which comply with all applicable accounting standards and rules.
[Note: article 5(4) of the MiFID implementing Directive]
Regular monitoring
SYSC 4.1.10
See Notes
A common platform firm must monitor and, on a regular basis, evaluate the adequacy and effectiveness of its systems, internal control mechanisms and arrangements established in accordance with SYSC 4.1.4 R to SYSC 4.1.9 R and take appropriate measures to address any deficiencies.
[Note: article 5(5) of the MiFID implementing Directive]
Audit committee
SYSC 4.1.11
See Notes
Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to form an audit committee. An audit committee could typically examine management's process for ensuring the appropriateness and effectiveness of systems and controls, examine the arrangements made by management to ensure compliance with requirements and standards under the regulatory system, oversee the functioning of the internal audit function (if applicable) and provide an interface between management and external auditors. It should have an appropriate number of non-executive directors and it should have formal terms of reference.
SYSC 4.2
Persons who effectively direct the business
- 01/01/2007
- Past version of SYSC 4.2 before 01/01/2007
SYSC 4.2.1
See Notes
The senior personnel of a common platform firm must be of sufficiently good repute and sufficiently experienced as to ensure the sound and prudent management of the firm.
[Note: article 9(1) of MiFID and article 11(1) second paragraph of the Banking Consolidation Directive]
SYSC 4.2.2
See Notes
A common platform firm must ensure that its management is undertaken by at least two persons meeting the requirements laid down in SYSC 4.2.1 R.
[Note: article 9(4) first paragraph of MiFID and article 11(1) first paragraph of the Banking Consolidation Directive]
SYSC 4.2.3
See Notes
In the case of a body corporate, the persons referred to in SYSC 4.2.2 R should either be executive directors or persons granted executive powers by, and reporting immediately to, the governing body. In the case of a partnership, they should be active partners.
SYSC 4.2.4
See Notes
At least two independent minds should be applied to both the formulation and implementation of the policies of a common platform firm. Where a common platform firm nominates just two individuals to direct its business, the FSA will not regard them as both effectively directing the business where one of them makes some, albeit significant, decisions relating to only a few aspects of the business. Each should play a part in the decision-making process on all significant decisions. Both should demonstrate the qualities and application to influence strategy, day-to-day policy and its implementation. This does not require their day-to-day involvement in the execution and implementation of policy. It does, however, require involvement in strategy and general direction, as well as knowledge of, and influence on, the way in which strategy is being implemented through day-to-day policy.
SYSC 4.2.5
See Notes
Where there are more than two individuals directing the business, the FSA does not regard it as necessary for all of these individuals to be involved in all decisions relating to the determination of strategy and general direction. However, at least two individuals should be involved in all such decisions. Both individuals' judgement should be engaged so that major errors leading to difficulties for the firm are less likely to occur. Similarly, each individual should have sufficient experience and knowledge of the business and the necessary personal qualities and skills to detect and resist any imprudence, dishonesty or other irregularities by the other individual. Where a single individual, whether a chief executive, managing director or otherwise, is particularly dominant in a firm this will raise doubts about whether SYSC 4.2.2 R is met.
SYSC 4.2.6
See Notes
If a common platform firm, other than a credit institution, is:
- (1) a natural person; or
- (2) a legal person managed by a single natural person;
it must have alternative arrangements in place which ensure sound and prudent management of the firm.
[Note: article 9(4) second paragraph of MiFID]
SYSC 4.3
Responsibility of senior personnel
- 01/01/2007
SYSC 4.3.1
See Notes
A MiFID investment firm , when allocating functions internally, must ensure that senior personnel and, where appropriate, the supervisory function, are responsible for ensuring that the firm complies with its obligations under MiFID . In particular, senior personnel and, where appropriate, the supervisory function must assess and periodically review the effectiveness of the policies, arrangements and procedures put in place to comply with the firm's obligations under MiFID and take appropriate measures to address any deficiencies.
[Note: article 9(1) of the MiFID implementing Directive]
SYSC 4.3.2
See Notes
A MiFID investment firm , must ensure:
- (1) that its senior personnel receive on a frequent basis, and at least annually, written reports on the matters covered by SYSC 6.1.2 R to SYSC 6.1.5 R, SYSC 6.2.1 R and SYSC 7.1.2 R, SYSC 7.1.3 R and SYSC 7.1.5 R to SYSC 7.1.7 R, indicating in particular whether the appropriate remedial measures have been taken in the event of any deficiencies; and
- (2) the supervisory function, if any, must receive on a regular basis written reports on the same matters.
[Note: article 9(2) and article 9(3) of the MiFID implementing Directive]
SYSC 4.3.3
See Notes
The supervisory function does not include a general meeting of the shareholders of a common platform firm , or equivalent bodies, but could involve, for example, a separate supervisory board within a two-tier board structure or the establishment of a non-executive committee of a single-tier board structure.
SYSC 4.3.4
See Notes
SYSC 2, which sets out how certain functions in a firm should be allocated, does not affect the collective responsibility of the senior personnel of a MiFID investment firm under this section.
- 01/01/2007
SYSC 5
Employees, agents and other relevant persons [Note: Not mandatory for a common platform firm until 01/11/07. See SYSC TP1]
SYSC 5.1
Skills, knowledge and expertise
- 01/01/2007
SYSC 5.1.1
See Notes
A common platform firm must employ personnel with the skills, knowledge and expertise necessary for the discharge of the responsibilities allocated to them.
[Note: article 5(1)(d) of the MiFID implementing Directive]
SYSC 5.1.2
See Notes
SYSC 5.1.3
See Notes
SYSC 5.1.4
See Notes
SYSC 5.1.5
See Notes
Segregation of functions
SYSC 5.1.6
See Notes
A common platform firm must ensure that the performance of multiple functions by its relevant persons does not and is not likely to prevent those persons from discharging any particular functions soundly, honestly and professionally.
[Note: article 5(1)(g) of the MiFID implementing Directive]
SYSC 5.1.7
See Notes
The senior personnel of a common platform firm must define arrangements concerning the segregation of duties within the firm and the prevention of conflicts of interest.
[Note:annex V paragraph 1 of the Banking Consolidation Directive]
SYSC 5.1.8
See Notes
SYSC 5.1.9
See Notes
A common platform firm should normally ensure that no single individual has unrestricted authority to do all of the following:
- (1) initiate a transaction;
- (2) bind the firm;
- (3) make payments; and
- (4) account for it.
SYSC 5.1.10
See Notes
SYSC 5.1.11
See Notes
Where a common platform firm outsources its internal audit function, it should take reasonable steps to ensure that every individual involved in the performance of this service is independent from the individuals who perform its external audit. This should not prevent services from being undertaken by a firm's external auditors provided that:
- (1) the work is carried out under the supervision and management of the firm's own internal staff; and
- (2) potential conflicts of interest between the provision of external audit services and the provision of internal audit are properly managed.
Awareness of procedures
SYSC 5.1.12
See Notes
A common platform firm must ensure that its relevant persons are aware of the procedures which must be followed for the proper discharge of their responsibilities.
[Note: article 5(1)(d) of the MiFID implementing Directive]
General
SYSC 5.1.13
See Notes
The systems, internal control mechanisms and arrangements established by a firm in accordance with this chapter must take into account the nature, scale and complexity of its business and the nature and range of investment services and activities undertaken in the course of that business.
[Note: article 5(1) final paragraph of the MiFID implementing Directive]
SYSC 5.1.14
See Notes
A common platform firm must monitor and, on a regular basis, evaluate the adequacy and effectiveness of its systems, internal control mechanisms and arrangements established in accordance with this chapter, and take appropriate measures to address any deficiencies.
[Note: article 5(5) of the MiFID implementing Directive]
SYSC 6
Compliance, internal audit and financial crime [Note: Not mandatory for a common platform firm until 01/11/07. See SYSC TP1]
SYSC 6.1
Compliance
- 01/01/2007
SYSC 6.1.1
See Notes
A common platform firm must establish, implement and maintain adequate policies and procedures sufficient to ensure compliance of the firm including its managers, employees and appointed representatives with its obligations under the regulatory system.
[Note: article 13(2) of MiFID]
SYSC 6.1.2
See Notes
A common platform firm must, taking in toaccount the nature, scale and complexity of its business, and the nature and range of investment services and activities undertaken in the course of that business, establish, implement and maintain adequate policies and procedures designed to detect any risk of failure by the firm to comply with its obligations under the regulatory system, as well as associated risks, and put in place adequate measures and procedures designed to minimise such risks and to enable the FSA to exercise its powers effectively under the regulatory system and to enable any other competent authority to exercise its powers effectively under MiFID.
[Note: article 6(1) of the MiFID implementing Directive]
SYSC 6.1.3
See Notes
A common platform firm must maintain a permanent and effective compliance function which operates independently and which has the following responsibilities:
- (1) to monitor and, on a regular basis, to assess the adequacy and effectiveness of the measures and procedures put in place in accordance with SYSC 6.1.2 R, and the actions taken to address any deficiencies in the firm's compliance with its obligations;
- (2) to advise and assist the relevant persons responsible for carrying out regulated activities to comply with the firm's obligations under the regulatory system.
[Note: article 6(2) of the MiFID implementing Directive]
SYSC 6.1.4
See Notes
In order to enable the compliance function to discharge its responsibilities properly and independently, a common platform firm must ensure that the following conditions are satisfied:
- (1) the compliance function must have the necessary authority, resources, expertise and access to all relevant information;
- (2) a compliance officer must be appointed and must be responsible for the compliance function and for any reporting as to compliance required by SYSC 4.3.2 R;
- (3) the relevant persons involved in the compliance functions must not be involved in the performance of services or activities they monitor;
- (4) the method of determining the remuneration of the relevant persons involved in the compliance function must not compromise their objectivity and must not be likely to do so.
[Note: article 6(3) first paragraph of the MiFID implementing Directive]
SYSC 6.1.5
See Notes
A common platform firm need not comply with SYSC 6.1.4 R (3) or SYSC 6.1.4 R (4) if it is able to demonstrate that in view of the nature, scale and complexity of its business, and the nature and range of investment services and activities , the requirements under those rules are not proportionate and that its compliance function continues to be effective.
[Note: article 6(3) second paragraph of the MiFID implementing Directive]
SYSC 6.2
Internal audit
- 01/01/2007
SYSC 6.2.1
See Notes
A common platform firm must, where appropriate and proportionate in view of the nature, scale and complexity of its business and the nature and range of investment services and activities undertaken in the course of that business, establish and maintain an internal audit function which is separate and independent from the other functions and activities of the firm and which has the following responsibilities:
- (1) to establish, implement and maintain an audit plan to examine and evaluate the adequacy and effectiveness of the firm's systems, internal control mechanisms and arrangements;
- (2) to issue recommendations based on the result of work carried out in accordance with (1);
- (3) to verify compliance with those recommendations;
- (4) to report in relation to internal audit matters in accordance with SYSC 4.3.2 R.
[Note: article 8 of the MiFID implementing Directive]
SYSC 6.3
Financial crime
- 01/01/2007
SYSC 6.3.1
See Notes
A common platform firm must ensure the policies and procedures established under SYSC 6.1.1 R include systems and controls that:
- (1) enable it to identify, assess, monitor and manage money laundering risk; and
- (2) are comprehensive and proportionate to the nature, scale and complexity of its activities.
SYSC 6.3.2
See Notes
- 01/01/2007
SYSC 6.3.3
See Notes
SYSC 6.3.4
See Notes
SYSC 6.3.5
See Notes
SYSC 6.3.6
See Notes
In identifying its money laundering risk and in establishing the nature of these systems and controls, a common platform firm should consider a range of factors, including:
- (1) its customer, product and activity profiles;
- (2) its distribution channels;
- (3) the complexity and volume of its transactions;
- (4) its processes and systems; and
- (5) its operating environment.
SYSC 6.3.7
See Notes
A common platform firm should ensure that the systems and controls include:
- (1) appropriate training for its employees in relation to money laundering;
- (2) appropriate provision of information to its governing body and senior management, including a report at least annually by that firm's money laundering reporting officer (MLRO) on the operation and effectiveness of those systems and controls;
- (3) appropriate documentation of its risk management policies and risk profile in relation to money laundering, including documentation of its application of those policies (see SYSC 9);
- (4) appropriate measures to ensure that money laundering risk is taken into account in its day-to-day operation, including in relation to:
- (a) the development of new products;
- (b) the taking-on of new customers; and
- (c) changes in its business profile; and
- (5) appropriate measures to ensure that procedures for identification of new customers do not unreasonably deny access to its services to potential customers who cannot reasonably be expected to produce detailed evidence of identity.
SYSC 6.3.8
See Notes
The money laundering reporting officer
SYSC 6.3.9
See Notes
A common platform firm must:
- (1) appoint an individual as MLRO, with responsibility for oversight of its compliance with the FSA's rules on systems and controls against money laundering; and
- (2) ensure that its MLRO has a level of authority and independence within the firm and access to resources and information sufficient to enable him to carry out that responsibility.
SYSC 6.3.10
See Notes
- 01/01/2007
SYSC 7
Risk control [Note: Not mandatory for a common platform firm until 01/11/07. See SYSC TP1]
SYSC 7.1
Risk control
- 01/01/2007
SYSC 7.1.1
See Notes
SYSC 7.1.2
See Notes
A common platform firm must establish, implement and maintain adequate risk management policies and procedures, including effective procedures for risk assessment, which identify the risks relating to the firm's activities, processes and systems, and where appropriate, set the level of risk tolerated by the firm.
[Note: article 7(1)(a) of the MiFID implementing Directive, article 13(5) second paragraph of MiFID]
SYSC 7.1.3
See Notes
A common platform firm must adopt effective arrangements, processes and mechanisms to manage the risk relating to the firm's activities, processes and systems, in light of that level of risk tolerance.
[Note: article 7(1)(b) of the MiFID implementing Directive]
SYSC 7.1.4
See Notes
The senior personnel of a common platform firm must approve and periodically review the strategies and policies for taking up, managing, monitoring and mitigating the risks the firm is or might be exposed to, including those posed by the macroeconomic environment in which it operates in relation to the status of the business cycle.
[Note: annex V paragraph 2 of the Banking Consolidation Directive]
SYSC 7.1.5
See Notes
A common platform firm must monitor the following:
- (1) the adequacy and effectiveness of the firm's risk management policies and procedures;
- (2) the level of compliance by the firm and its relevant persons with the arrangements, processes and mechanisms adopted in accordance with SYSC 7.1.3 R;
- (3) the adequacy and effectiveness of measures taken to address any deficiencies in those policies, procedures, arrangements, processes and mechanisms, including failures by the relevant persons to comply with such arrangements or processes and mechanisms or follow such policies and procedures.
[Note: article 7(1)(c) of the MiFID implementing Directive]
SYSC 7.1.6
See Notes
A common platform firm must, where appropriate and proportionate in view of the nature, scale and complexity of its business and the nature and range of the investment services and activities undertaken in the course of that business, establish and maintain a risk management function that operates independently and carries out the following tasks:
- (1) implementation of the policies and procedures referred to in SYSC 7.1.2 R to SYSC 7.1.5 R; and
- (2) provision of reports and advice to senior personnel in accordance with SYSC 4.3.2 R.
[Note: MiFID implementing Directive Article 7(2) first paragraph]
SYSC 7.1.7
See Notes
Where a common platform firm is not required under SYSC 7.1.6 R to maintain a risk management function that functions independently, it must nevertheless be able to demonstrate that the policies and procedures which it has adopted in accordance with SYSC 7.1.2 R to SYSC 7.1.5 R satisfy the requirements of those rules and are consistently effective.
[Note: article 7(2) second paragraph of the MiFID implementing Directive]
SYSC 7.1.8
See Notes
Credit and counterparty risk
SYSC 7.1.9
See Notes
A BIPRU firm must base credit-granting on sound and well-defined criteria and clearly establish the process for approving, amending, renewing, and re-financing credits.
[Note: annex V paragraph 3 of the Banking Consolidation Directive]
SYSC 7.1.10
See Notes
A BIPRU firm must operate through effective systems the ongoing administration and monitoring of its various credit risk-bearing portfolios and exposures, including for identifying and managing problem credits and for making adequate value adjustments and provisions.
[Note: annex V paragraph 4 of the Banking Consolidation Directive]
SYSC 7.1.11
See Notes
A BIPRU firm must adequately diversify credit portfolios given its target market and overall credit strategy.
[Note: annex V paragraph 5 of the Banking Consolidation Directive]
SYSC 7.1.12
See Notes
Residual risk
SYSC 7.1.13
See Notes
A BIPRU firm must address and control by means of written policies and procedures the risk that recognised credit risk mitigation techniques used by it prove less effective than expected.
[Note: annex V paragraph 6 of the Banking Consolidation Directive]
Market risk
SYSC 7.1.14
See Notes
A BIPRU firm must implement policies and processes for the measurement and management of all material sources and effects of market risks.
[Note: annex V paragraph 10 of the Banking Consolidation Directive]
Interest rate risk
SYSC 7.1.15
See Notes
A BIPRU firm must implement systems to evaluate and manage the risk arising from potential changes in interest rates as they affect a BIPRU firm's non-trading activities.
[Note: annex V paragraph 11 of the Banking Consolidation Directive]
Operational risk
SYSC 7.1.16
See Notes
A BIPRU firm must implement policies and processes to evaluate and manage the exposure to operational risk, including to low-frequency high severity events. Without prejudice to the definition of operational risk, BIPRU firms must articulate what constitutes operational risk for the purposes of those policies and procedures.
[Note: annex V paragraph 12 of the Banking Consolidation Directive]
SYSC 8
Outsourcing
SYSC 8.1
General outsourcing requirements [Note: Not mandatory for a common platform firm until 01/11/07. See SYSC TP1]
- 01/01/2007
- Future version of SYSC 8.1 after 01/11/2007
SYSC 8.1.1
See Notes
A common platform firm must:
- (1) when relying on a third party for the performance of operational functions which are critical for the performance of regulated activities, listed activities or ancillary services (in this chapter "relevant services and activities") on a continuous and satisfactory basis, ensure that it takes reasonable steps to avoid undue additional operational risk;
- (2) not undertake the outsourcing of important operational functions in such a way as to impair materially:
- (a) the quality of its internal control; and
- (b) the ability of the FSA to monitor the firm's compliance with all obligations under the regulatory system and, if different, of a competent authority to monitor the firm's compliance with all obligations under MiFID.
[Note: article 13(5) first paragraph of MiFID]
SYSC 8.1.2
See Notes
SYSC 8.1.3
See Notes
SYSC 8.1.4
See Notes
For the purposes of this chapter an operational function is regarded as critical or important if a defect or failure in its performance would materially impair the continuing compliance of a common platform firm with the conditions and obligations of its authorisation or its other obligations under the regulatory system, or its financial performance, or the soundness or the continuity of its relevant services and activities.
[Note: article 13(1) of the MiFID implementing Directive]
SYSC 8.1.5
See Notes
Without prejudice to the status of any other function, the following functions will not be considered as critical or important for the purposes of this chapter:
- (1) the provision to the firm of advisory services, and other services which do not form part of the relevant services and activities of the firm, including the provision of legal advice to the firm, the training of personnel of the firm, billing services and the security of the firm's premises and personnel;
- (2) the purchase of standardised services, including market information services and the provision of price feeds.
[Note: article 13(2) of the MiFID implementing Directive]
SYSC 8.1.6
See Notes
If a common platform firm outsources critical or important operational functions or any relevant services and activities, it remains fully responsible for discharging all of its obligations under the regulatory system and must comply, in particular, with the following conditions:
- (1) the outsourcing must not result in the delegation by senior personnel of their responsibility;
- (2) the relationship and obligations of the firm towards its clients under the regulatory system must not be altered;
- (3) the conditions with which the firm must comply in order to be authorised, and to remain so, must not be undermined;
- (4) none of the other conditions subject to which the firm's authorisation was granted must be removed or modified.
[Note: article 14(1) of the MiFID implementing Directive]
SYSC 8.1.7
See Notes
A common platform firm must exercise due skill and care and diligence when entering into, managing or terminating any arrangement for the outsourcing to a service provider of critical or important operational functions or of any relevant services and activities.
[Note: article 14(2) first paragraph of the MiFID implementing Directive]
SYSC 8.1.8
See Notes
A common platform firm must in particular take the necessary steps to ensure that the following conditions are satisfied:
- (1) the service provider must have the ability, capacity, and any authorisation required by law to perform the outsourced functions, services or activities reliably and professionally;
- (2) the service provider must carry out the outsourced services effectively, and to this end the firm must establish methods for assessing the standard of performance of the service provider;
- (3) the service provider must properly supervise the carrying out of the outsourced functions, and adequately manage the risks associated with the outsourcing;
- (4) appropriate action must be taken if it appears that the service provider may not be carrying out the functions effectively and in compliance with applicable laws and regulatory requirements;
- (5) the firm must retain the necessary expertise to supervise the outsourced functions effectively and manage the risks associated with the outsourcingand must manage those risksand must supervise those functions and manage those risks;
- (6) the service provider must disclose to the firm any development that may have a material impact on its ability to carry out the outsourced functions effectively and in compliance with applicable laws and regulatory requirements;
- (7) the firm must be able to terminate the arrangement for the outsourcing where necessary without detriment to the continuity and quality of its provision of services to clients;
- (8) the service provider must co-operate with the FSA and any other relevant competent authority in connection with the outsourced activities;
- (9) the firm, its auditors, the FSA and any other relevant competent authority must have effective access to data related to the outsourced activities, as well as to the business premises of the service provider; and the FSA and any other relevant competent authority must be able to exercise those rights of access;
- (10) the service provider must protect any confidential information relating to the firm and its clients;
- (11) the firm and the service provider must establish, implement and maintain a contingency plan for disaster recovery and periodic testing of backup facilities where that is necessary having regard to the function, service or activity that has been outsourced.
[Note: article 14(2) second paragraph of the MiFID implementing Directive]
SYSC 8.1.9
See Notes
A common platform firm must ensure that the respective rights and obligations of the firm and of the service provider are clearly allocated and set out in a written agreement.
[Note: article 14(3) of the MiFID implementing Directive]
SYSC 8.1.10
See Notes
If a common platform firm and the service provider are members of the same group, the firm may, for the purpose of complying with SYSC 8.1.7 R to SYSC 8.1.11 R and SYSC 8.2 and SYSC 8.3, take into account the extent to which the common platform firm controls the service provider or has the ability to influence its actions.
[Note: article 14(4) of the MiFID implementing Directive]
SYSC 8.1.11
See Notes
A common platform firm must make available on request to the FSA and any other relevant competent authority all information necessary to enable the FSA and any other relevant competent authority to supervise the compliance of the performance of the outsourced activities with the requirements of the regulatory system.
[Note: article 14(5) of the MiFID implementing Directive]
SYSC 8.1.12
See Notes
As SUP 15.3.8 G explains, a common platform firm should notify the FSA when it intends to rely on a third party for the performance of operational functions which are critical or important for the performance of relevant services and activities on a continuous and satisfactory basis.
[Note: recital 20 of the MiFID implementing Directive]
SYSC 10
Conflicts of interest [Note: Not mandatory for a common platform firm until 01/11/07. See SYSC TP1]
SYSC 10.1
Application
- 01/01/2007
SYSC 10.1.1
See Notes
Requirements only apply if a service is provided
SYSC 10.1.2
See Notes
The requirements in this section only apply where a service is provided by a common platform firm . The status of the client to whom the service is provided (as a retail client, professional client or eligible counterparty) is irrelevant for this purpose.
[Note: recital 25 of MiFID implementing Directive]
Identifying conflicts
SYSC 10.1.3
See Notes
A common platform firm must take all reasonable steps to identify conflicts of interest between:
- (1) the firm, including its managers, employees and appointed representatives or tied agents , or any person directly or indirectly linked to them by control, and a client of the firm; or
- (2) one client of the firm and another client;
that arise or may arise in the course of the firm providing any service referred to in SYSC 10.1.1 R.
[Note: article 18(1) of MiFID]
Types of conflicts
SYSC 10.1.4
See Notes
For the purposes of identifying the types of conflict of interest that arise, or may arise, in the course of providing a service and whose existence may entail a material risk of damage to the interests of a client, a common platform firm must take into account, as a minimum, whether the firm or a relevant person, or a person directly or indirectly linked by control to the firm:
- (1) is likely to make a financial gain, or avoid a financial loss, at the expense of the client;
- (2) has an interest in the outcome of a service provided to the client or of a transaction carried out on behalf of the client, which is distinct from the client's interest in that outcome;
- (3) has a financial or other incentive to favour the interest of another client or group of clients over the interests of the client;
- (4) carries on the same business as the client; or
- (5) receives or will receive from a person other than the client an inducement in relation to a service provided to the client, in the form of monies, goods or services, other than the standard commission or fee for that service.
The conflict of interest may result from the firm or person providing a service referred to in SYSC 10.1.1 R or engaging in any other activity.
[Note: article 21 of MiFID implementing Directive]
SYSC 10.1.5
See Notes
The circumstances which should be treated as giving rise to a conflict of interest cover cases where there is a conflict between the interests of the firm or certain persons connected to the firm or the firm's group and the duty the firm owes to a client; or between the differing interests of two or more of its clients, to whom the firm owes in each case a duty. It is not enough that the firm may gain a benefit if there is not also a possible disadvantage to a client, or that one client to whom the firm owes a duty may make a gain or avoid a loss without there being a concomitant possible loss to another such client.
[Note: recital 24 of MiFID implementing Directive]
Record of conflicts
SYSC 10.1.6
See Notes
A common platform firm must keep and regularly update a record of the kinds of service or activity carried out by or on behalf of the firm in which a conflict of interest entailing a material risk of damage to the interests of one or more clients has arisen or, in the case of an ongoing service or activity, may arise.
[Note: article 23 of MiFID implementing Directive]
Managing conflicts
SYSC 10.1.7
See Notes
A common platform firm must maintain and operate effective organisational and administrative arrangements with a view to taking all reasonable steps to prevent conflicts of interest as defined in SYSC 10.1.3 R from constituting or giving rise to a material risk of damage to the interests of its clients.
[Note: article 13(3) of MiFID]
Disclosure of conflicts
SYSC 10.1.8
See Notes
- (1) If arrangements made by a common platform firm under SYSC 10.1.7 R to manage conflicts of interest are not sufficient to ensure, with reasonable confidence, that risks of damage to the interests of a client will be prevented, the firm must clearly disclose the general nature and/or sources of conflicts of interest to the client before undertaking business for the client.
- (2) The disclosure must:
- (a) be made in a durable medium; and
- (b) include sufficient detail, taking into account the nature of the client, to enable that client to take an informed decision with respect to the service in the context of which the conflict of interest arises.
[Note: article 18(2) of MiFID and Article 22(4) of MiFID implementing Directive]
SYSC 10.1.9
See Notes
Common platform firms should aim to identify and manage the conflicts of interest arising in relation to their various business lines and their group's activities under a comprehensive conflicts of interest policy. In particular, the disclosure of conflicts of interest by a firm should not exempt it from the obligation to maintain and operate the effective organisational and administrative arrangements under SYSC 10.1.7 R. While disclosure of specific conflicts of interest is required by SYSC 10.1.8 R, an over-reliance on disclosure without adequate consideration as to how conflicts may appropriately be managed is not permitted.
[Note: recital 27 of MiFID implementing Directive]
Conflicts policy
SYSC 10.1.10
See Notes
[Note: article 22(1) of MiFID implementing Directive]
Contents of policy
SYSC 10.1.11
See Notes
[Note: article 22(2) and (3) of MiFID implementing Directive]
SYSC 10.1.12
See Notes
In drawing up a conflicts of interest policy which identifies circumstances which constitute or may give rise to a conflict of interest, a common platform firm should pay special attention to the activities of investment research and advice, proprietary trading, portfolio management and corporate finance business, including underwriting or selling in an offering of securities and advising on mergers and acquisitions. In particular, such special attention is appropriate where the firm or a person directly or indirectly linked by control to the firm performs a combination of two or more of those activities.
[Note: recital 26 of MiFID implementing Directive]
Corporate finance
SYSC 10.1.13
See Notes
SYSC 10.1.14
See Notes
SYSC 10.1.15
See Notes
Measures that a common platform firm might wish to consider in drawing up its conflicts of interest policy in relation to the management of an offering of securities include:
- (1) at an early stage agreeing with its corporate finance client relevant aspects of the offering process such as the process the firm proposes to follow in order to determine what recommendations it will make about allocations for the offering; how the target investor group will be identified; how recommendations on allocation and pricing will be prepared; and whether the firm might place securities with its investment clients or with its own proprietary book, or with an associate, and how conflicts arising might be managed; and
- (2) agreeing allocation and pricing objectives with the corporate finance client; inviting the corporate finance client to participate actively in the allocation process; making the initial recommendation for allocation to retail clients of the firm as a single block and not on a named basis; having internal arrangements under which senior personnel responsible for providing services to retail clients make the initial allocation recommendations for allocation to retail clients of the firm; and disclosing to the issuer details of the allocations actually made.
[Note: The provisions in SYSC 10.1 also implement BCD Article 22 and BCD Annex V paragraph 1]
SYSC 10.2
Chinese walls
- 01/01/2007
Application
SYSC 10.2.1
See Notes
Control of information
SYSC 10.2.2
See Notes
- (1) When a common platform firm establishes and maintains a Chinese wall (that is, an arrangement that requires information held by a person in the course of carrying on one part of the business to be withheld from, or not to be used for, persons with or for whom it acts in the course of carrying on another part of its business) it may:
- (a) withhold or not use the information held; and
- (b) for that purpose, permit persons employed in the first part of its business to withhold the information held from those employed in that other part of the business;
- but only to the extent that the business of one of those parts involves the carrying on of regulated activities or ancillary activities .
- (2) Information may also be withheld or not used by a common platform firm when this is required by an established arrangement maintained between different parts of the business (of any kind) in the same group. This provision does not affect any requirement to transmit or use information that may arise apart from the rules in COB or COBS.
- (3) For the purpose of this rule, "maintains" includes taking reasonable steps to ensure that the arrangements remain effective and are adequately monitored, and must be interpreted accordingly.
- (4) For the purposes of section 118A(5)(a) of the Act, behaviour conforming with paragraph (1) does not amount to market abuse.
Effect of rules
SYSC 10.2.3
See Notes
SYSC 10.2.2 R is made under section 147 of the Act (Control of information rules). It has the following effect:
- (1) acting in conformity with SYSC 10.2.2 R (1) provides a defence against proceedings brought under section 397(2) or (3) of the Act (Misleading statements and practices) - see sections 397(4) and (5)(c);
- (2) behaviour in conformity with SYSC 10.2.2 R (1) does not amount to market abuse (see SYSC 10.2.2 R (4)); and
- (3) acting in conformity with SYSC 10.2.2 R (1) provides a defence for a firm against FSA enforcement action, or an action for damages under section 150 of the Act, based on a breach of a relevant requirement to disclose or use this information.
Attribution of knowledge
SYSC 10.2.4
See Notes
SYSC 10.2.5
See Notes
SYSC 11
Liquidity risk systems and controls
SYSC 11.1
Application
- 31/12/2006
SYSC 11.1.1
See Notes
SYSC 11 applies to:
- (1) an insurer, unless it is an EEA-deposit insurer or a Swiss general insurer;
- (2) a BIPRU firm;
- (3) an incoming EEA firm which:
- (a) is a full BCD credit institution; and
- (b) has a branch in the United Kingdom;
- (4) a third country BIPRU firm which:
- (a) is a bank; and
- (b) has a branch in the United Kingdom.
[Note: first paragraph of article 41 of the Banking Consolidation Directive]
SYSC 11.1.2
See Notes
- 31/12/2006
SYSC 11.1.3
See Notes
- 31/12/2006
SYSC 11.1.4
See Notes
SYSC 11 does not apply to:
- (1) a non-directive friendly society; or
- (2) a UCITS qualifier; or
- (3) an ICVC; or
- (4) an incoming EEA firm (unless it has a branch in the United Kingdom - see SYSC 11.1.1R (3)); or
- (5) an incoming Treaty firm.
SYSC 11.1.5
See Notes
- (1) SYSC 11.1.11 R and SYSC 11.1.12 R apply only to a BIPRU firm.
- (2) SYSC 11.1.26 G to SYSC 11.1.32 G do not apply to insurers.
SYSC 11.1.6
See Notes
If a firm carries on:
- (1) long-term insurance business; and
- (2) general insurance business;
SYSC 11 applies separately to each type of business.
Purpose
SYSC 11.1.7
See Notes
The purpose of SYSC 11 is to amplify GENPRU and SYSC in their specific application to liquidity risk and, in so doing, to indicate minimum standards for systems and controls in respect of that risk.
SYSC 11.1.8
See Notes
Appropriate systems and controls for the management of liquidity risk will vary with the scale, nature and complexity of the firm's activities. Most of the material in SYSC 11 is, therefore, guidance. SYSC 11 lays out some of the main issues that the FSA expects a firm to consider in relation to liquidity risk. A firm should assess the appropriateness of any particular item of guidance in the light of the scale, nature and complexity of its activities as well as its obligations as set out in Principle 3 to organise and control its affairs responsibly and effectively.
SYSC 11.1.9
See Notes
SYSC 11.1.10
See Notes
SYSC 11.1.11 R and SYSC 11.1.12 R implement the specific liquidity risk requirements of the BCD.
- 31/12/2006
Requirements
SYSC 11.1.11
See Notes
A BIPRU firm must have policies and processes for the measurement and management of its net funding position and requirements on an ongoing and forward looking basis. Alternative scenarios must be considered and the assumptions underpinning decisions concerning the net funding position must be reviewed regularly.
[Note: annex V paragraph 14 of the Banking Consolidation Directive]
- 31/12/2006
SYSC 11.1.12
See Notes
A BIPRU firm must have contingency plans in place to deal with liquidity crises.
[Note: annex V paragraph 15 of the Banking Consolidation Directive]
- 31/12/2006
SYSC 11.1.13
See Notes
An insurer is also required to comply with the requirements in relation to liquidity risk set out in INSPRU 4.1.
SYSC 11.1.14
See Notes
SYSC 4.1.1 R requires a BIPRU firm to have effective processes to identify, manage, monitor and report the risks it is or might be exposed to. A BIPRU firm is required by SYSC 7.1.2 R to establish, implement and maintain adequate risk management policies and procedures, including effective procedures for risk assessment. Liquidity risk is one of the risks covered by both of those requirements.
- 31/12/2006
SYSC 11.1.15
See Notes
A UK bank, a branch of an EEA bank and a branch of an overseas bank is required in IPRU(BANK) GN 3.4.3 to set out its policy on the management of its liquidity. Guidance on a bank's liquidity policy statement is given in IPRU(BANK) LM Section 10. Guidance on a bank's management of liquidity risk is given in IPRU(BANK) LM Sections 2 and 9.
- 31/12/2006
SYSC 11.1.16
See Notes
A building society is required by IPRU(BSOC) 5.2.7 R to maintain a board-approved policy statement on liquidity. Guidance on a building society's liquidity policy statement is given in IPRU(BSOC) 5.2.8 and IPRU(BSOC) Annex 5B Guidance on a building society's management of liquidity risk is given in IPRU(BSOC) Sections 5.3 to 5.8.
- 31/12/2006
SYSC 11.1.17
See Notes
High level requirements in relation to carrying out stress testing and scenario analysis are set out in GENPRU 1.2. In particular, GENPRU 1.2.42R requires a firm to carry out appropriate stress testing and scenario analysis. SYSC 11 gives guidance in relation to these tests in the case of liquidity risk.
Stress testing and scenario analysis
SYSC 11.1.18
See Notes
The effect of GENPRU 1.2.30R, GENPRU 1.2.34R, GENPRU 1.2.37R(1) and GENPRU 1.2.42R is that, for the purposes of determining the adequacy of its overall financial resources, a firm must carry out appropriate stress testing and scenario analysis, including taking reasonable steps to identify an appropriate range of realistic adverse circumstances and events in which liquidity risk might occur or crystallise.
SYSC 11.1.19
See Notes
GENPRU 1.2.40G and GENPRU 1.2.62G to GENPRU 1.2.78G give guidance on stress testing and scenario analysis, including on how to choose appropriate scenarios, but the precise scenarios that a firm chooses to use will depend on the nature of its activities. For the purposes of testing liquidity risk, however, a firm should normally consider scenarios based on varying degrees of stress and both firm-specific and market-wide difficulties. In developing any scenario of extreme market-wide stress that may pose systemic risk, it may be appropriate for a firm to make assumptions about the likelihood and nature of central bank intervention.
SYSC 11.1.20
See Notes
A firm should review frequently the assumptions used in stress testing scenarios to gain assurance that they continue to be appropriate.
SYSC 11.1.21
See Notes
- (1) A scenario analysis in relation to liquidity risk required under GENPRU 1.2.42R should include a cash-flow projection for each scenario tested, based on reasonable estimates of the impact (both on and off balance sheet) of that scenario on the firm's funding needs and sources.
- (2) Contravention of (1) may be relied on as tending to establish contravention of GENPRU 1.2.42R.
SYSC 11.1.22
See Notes
In identifying the possible on and off balance sheet impact referred to in SYSC 11.1.21E (1), a firm may take into account:
- (1) possible changes in the market's perception of the firm and the effects that this might have on the firm's access to the markets, including:
- (a) (where the firm funds its holdings of assets in one currency with liabilities in another) access to foreign exchange markets, particularly in less frequently traded currencies;
- (b) access to secured funding, including by way of repo transactions; and
- (c) the extent to which the firm may rely on committed facilities made available to it;
- (2) (if applicable) the possible effect of each scenario analysed on currencies whose exchange rates are currently pegged or fixed; and
- (3) that:
- (a) general market turbulence may trigger a substantial increase in the extent to which persons exercise rights against the firm under off balance sheet instruments to which the firm is party;
- (b) access to OTC derivative and foreign exchange markets are sensitive to credit-ratings;
- (c) the scenario may involve the triggering of early amortisation in asset securitisation transactions with which the firm has a connection; and
- (d) its ability to securitise assets may be reduced.
Contingency funding plans
SYSC 11.1.23
See Notes
GENPRU 1.2.26R states that a firm must at all times maintain overall financial resources adequate to ensure that there is no significant risk that its liabilities cannot be met as they fall due. GENPRU 1.2.42R(1)(b) provides that for the purposes of determining the adequacy of its overall financial resources, a firm must estimate the financial resources it would need in each of the circumstances and events considered in carrying out its stress testing and scenario analysis in order to, inter alia, meet its liabilities as they fall due.
SYSC 11.1.24
See Notes
- (1) A firm should have an adequately documented contingency funding plan for taking action to ensure, so far as it can, that, in each of the scenarios analysed under GENPRU 1.2.42R(1)(b), it would still have sufficient liquid financial resources to meet liabilities as they fall due.
- (2) The contingency funding plan should cover what events or circumstances will lead the firm to put into action any part of the plan.
- (3) The contingency funding plan of a firm described in SYSC 11.1.1R (2) to SYSC 11.1.1R (4) should cover the extent to which the actions in (1) include:
- (a) selling, using as collateral in secured funding (including repo), or securitising, its assets;
- (b) otherwise reducing its assets;
- (c) modifying the structure of its liabilities or increasing its liabilities; and
- (d) the use of committed facilities.
- (4) A firm's contingency funding plan should, where relevant, take account of the impact of stressed market conditions on:
- (a) the behaviour of any credit-sensitive liabilities it has; and
- (b) its ability to securitise assets.
- (5) A firm's contingency funding plan should contain administrative policies and procedures that will enable the firm to manage the plan's implementation effectively, including:
- (a) the responsibilities of senior management;
- (b) names and contact details of members of the team responsible for implementing the contingency funding plan;
- (c) where, geographically, team members will be assigned;
- (d) who within the team is responsible for contact with head office (if appropriate), analysts, investors, external auditors, press, significant client's, regulators, lawyers and others; and
- (e) mechanisms that enable senior management and the governing body to receive management information that is both relevant and timely.
- (6) Contravention of any of (1) to (5) may be relied upon as tending to establish contravention of GENPRU 1.2.30R(2)(c).
Documentation
SYSC 11.1.25
See Notes
GENPRU 1.2.60R requires a firm to document its assessment of the adequacy of its liquidity financial resources, how it intends to deal with those risks, and details of the stress tests and scenario analyses carried out and the resulting financial resources estimated to be required. Accordingly, a firm should document both its stress testing and scenario analysis (see SYSC 11.1.18 G) and its contingency funding plan (see SYSC 11.1.23 G).
Management information systems
SYSC 11.1.26
See Notes
A firm should have adequate information systems for controlling and reporting liquidity risk. The management information system should be used to check for compliance with the firm's established policies, procedures and limits.
- 31/12/2006
SYSC 11.1.27
See Notes
Reports on liquidity risk should be provided on a timely basis to the firm's governing body, senior management and other appropriate personnel. The appropriate content and format of reports depends on a firm's liquidity management practices and the nature, scale and complexity of the firm's business. Reports to the firm's governing body may be less detailed and less frequent than reports to senior management with responsibility for managing liquidity risk.
- 31/12/2006
SYSC 11.1.28
See Notes
The FSA would expect management information to normally contain the following:
- (1) a cash-flow or funding gap report;
- (2) a funding maturity schedule;
- (3) a list of large providers of funding; and
- (4) a limit monitoring and exception report.
SYSC 11.1.29
See Notes
When considering what else might be included in liquidity risk management information, a firm should consider other types of information that may be important for understanding its liquidity risk profile. This may include:
- 31/12/2006
Limit setting
SYSC 11.1.30
See Notes
A firm's senior management should decide what limits need to be set, in accordance with the nature, scale and complexity of its activities. The structure of limits should reflect the need for a firm to have systems and controls in place to guard against a spectrum of possible risks, from those arising in day-to-day liquidity risk management to those arising in stressed conditions.
- 31/12/2006
SYSC 11.1.31
See Notes
A firm should periodically review and, where appropriate, adjust its limits when conditions or risk tolerances change.
- 31/12/2006
SYSC 11.1.32
See Notes
Policy or limit exceptions should receive the prompt attention of the appropriate management and should be resolved according to processes described in approved policies.
- 31/12/2006
SYSC 12
Group risk systems and controls requirements
SYSC 12.1
Application
- 01/01/2007
SYSC 12.1.1
See Notes
Subject to SYSC 12.1.2 R to SYSC 12.1.4 R, this section applies to each of the following which is a member of a group:
- (1) a firm that falls into any one or more of the following categories:
- (a) a regulated entity;
- (b) an ELMI;
- (c) an insurer;
- (d) a BIPRU firm;
- (e) a non-BIPRU firm that is a parent financial holding company in a Member State and is a member of a UK consolidation group; and
- (f) a firm subject to the rules in IPRU(INV) Chapter 14.
- (2) a UCITS firm, but only if its group contains a firm falling into (1); and
- (3) the Society.
SYSC 12.1.2
See Notes
Except as set out in SYSC 12.1.4 R, this section applies with respect to different types of group as follows:
- (1) SYSC 12.1.8 R and SYSC 12.1.10 R apply with respect to all groups, including FSA regulated EEA financial conglomerates, other financial conglomerates and groups dealt with in SYSC 12.1.13 R to SYSC 12.1.16 R;
- (2) the additional requirements set out in SYSC 12.1.11 R and SYSC 12.1.12 R only apply with respect to FSA regulated EEA financial conglomerates; and
- (3) the additional requirements set out in SYSC 12.1.13 R to SYSC 12.1.16 R only apply with respect to groups of the kind dealt with by whichever of those rules apply.
SYSC 12.1.3
See Notes
This section does not apply to:
- (1) an incoming EEA firm; or
- (2) an incoming Treaty firm; or
- (3) a UCITS qualifier; or
- (4) an ICVC.
SYSC 12.1.4
See Notes
- (1) This rule applies in respect of the following rules:
- (a) SYSC 12.1.8R (2);
- (b) SYSC 12.1.10R (1), so far as it relates to SYSC 12.1.8R (2);
- (c) SYSC 12.1.10R (2); and
- (d) SYSC 12.1.11 R to SYSC 12.1.15 R.
- (2) The rules referred to in (1):
- (a) only apply with respect to a financial conglomerate if it is an FSA regulated EEA financial conglomerate;
- (b) (so far as they apply with respect to a group that is not a financial conglomerate) do not apply with respect to a group for which a competent authority in another EEA state is lead regulator;
- (c) (so far as they apply with respect to a financial conglomerate) do not apply to a firm with respect to a financial conglomerate of which it is a member if the interest of the financial conglomerate in that firm is no more than a participation;
- (d) (so far as they apply with respect to other groups) do not apply to a firm with respect to a group of which it is a member if the only relationship of the kind set out in paragraph (3) of the definition of group between it and the other members of the group is nothing more than a participation; and
- (e) do not apply with respect to a third-country group.
SYSC 12.1.5
See Notes
For the purpose of this section, a group is defined in the Glossary, and includes the whole of a firm's group, including financial and non-financial undertakings. It also covers undertakings with other links to group members if their omission from the scope of group risk systems and controls would be misleading. The scope of the group systems and controls requirements may therefore differ from the scope of the quantitative requirements for groups.
Purpose
SYSC 12.1.6
See Notes
The purpose of this chapter is to set out how the systems and control requirements imposed by SYSC (Senior Management Arrangements, Systems and Controls) apply where a firm is part of a group. If a firm is a member of a group, it should be able to assess the potential impact of risks arising from other parts of its group as well as from its own activities.
SYSC 12.1.7
See Notes
This section implements Articles 73(3) (Supervision on a consolidated basis of credit institutions) and 138 (Intra-group transactions with mixed activity holding companies) of the Banking Consolidation Directive, Article 9 of the Financial Groups Directive (Internal control mechanisms and risk management processes) and Article 8 of the Insurance Groups Directive (Intra-group transactions).
General rules
SYSC 12.1.8
See Notes
A firm must:
- (1) have adequate, sound and appropriate risk management processes and internal control mechanisms for the purpose of assessing and managing its own exposure to group risk, including sound administrative and accounting procedures; and
- (2) ensure that its group has adequate, sound and appropriate risk management processes and internal control mechanisms at the level of the group, including sound administrative and accounting procedures.
SYSC 12.1.9
See Notes
For the purposes of SYSC 12.1.8 R, the question of whether the risk management processes and internal control mechanisms are adequate, sound and appropriate should be judged in the light of the nature, scale and complexity of the group's business.
SYSC 12.1.10
See Notes
The internal control mechanisms referred to in SYSC 12.1.8 R must include:
- (1) mechanisms that are adequate for the purpose of producing any data and information which would be relevant for the purpose of monitoring compliance with any prudential requirements (including any reporting requirements and any requirements relating to capital adequacy, solvency, systems and controls and large exposures):
- (a) to which the firm is subject with respect to its membership of a group; or
- (b) that apply to or with respect to that group or part of it; and
- (2) mechanisms that are adequate to monitor funding within the group.
Financial conglomerates
SYSC 12.1.11
See Notes
Where this section applies with respect to a financial conglomerate, the risk management processes referred to in SYSC 12.1.8R (2) must include:
- (1) sound governance and management processes, which must include the approval and periodic review by the appropriate managing bodies within the financial conglomerate of the strategies and policies of the financial conglomerate in respect of all the risks assumed by the financial conglomerate, such review and approval being carried out at the level of the financial conglomerate;
- (2) adequate capital adequacy policies at the level of the financial conglomerate, one of the purposes of which must be to anticipate the impact of the business strategy of the financial conglomerate on its risk profile and on the capital adequacy requirements to which it and its members are subject;
- (3) adequate procedures for the purpose of ensuring that the risk monitoring systems of the financial conglomerate and its members are well integrated into their organisation; and
- (4) adequate procedures for the purpose of ensuring that the systems and controls of the members of the financial conglomerate are consistent and that the risks can be measured, monitored and controlled at the level of the financial conglomerate.
SYSC 12.1.12
See Notes
Where this section applies with respect to a financial conglomerate, the internal control mechanisms referred to in SYSC 12.1.8R (2) must include:
- (1) mechanisms that are adequate to identify and measure all material risks incurred by members of the financial conglomerate and appropriately relate capital in the financial conglomerate to risks; and
- (2) sound reporting and accounting procedures for the purpose of identifying, measuring, monitoring and controlling intra-group transactions and risk concentrations.
BIPRU firms and other firms to which BIPRU 8 applies
SYSC 12.1.13
See Notes
If this rule applies under SYSC 12.1.14 R to a firm, the firm must:
- (1) comply with SYSC 12.1.8R (2) in relation to any UK consolidation group or non-EEA sub-group of which it is a member, as well as in relation to its group; and
- (2) ensure that the risk management processes and internal control mechanisms at the level of any UK consolidation group or non-EEA sub-group of which it is a member comply with the obligations set out in the following provisions on a consolidated (or sub-consolidated) basis:
- (a) SYSC 3.2.23 R and SYSC 3.2.24 R;
- (b) SYSC 3.2.26 R;
- (c) SYSC 3.2.28 R to SYSC 3.2.36 R;
- (d) SYSC 11.1.11 R and SYSC 11.1.12 R;
- (e) BIPRU 2.3.7 R (1);
- (f) BIPRU 9.1.6 R and BIPRU 9.13.21 R (Liquidity plans);
- (g) BIPRU 10.12.3 R (Concentration risk policies).
[Note: article 73(3) of the Banking Consolidation Directive]
SYSC 12.1.14
See Notes
SYSC 12.1.13 R applies to a firm that is:
- (1) an ELMI;
- (2) a BIPRU firm; or
- (3) a non-BIPRU firm that is a parent financial holding company in a Member State and is a member of a UK consolidation group.
SYSC 12.1.15
See Notes
In the case of a firm that:
- (1) is an ELMI or a BIPRU firm; and
- (2) has a mixed-activity holding company as a parent undertaking;
the risk management processes and internal control mechanisms referred to in SYSC 12.1.8 R must include sound reporting and accounting procedures and other mechanisms that are adequate to identify, measure, monitor and control transactions between the firm's parent undertaking mixed-activity holding company and any of the mixed-activity holding company's subsidiary undertakings.
Insurance undertakings
SYSC 12.1.16
See Notes
SYSC 12.1.17
See Notes
Nature and extent of requirements and allocation of responsibilities within the group
SYSC 12.1.18
See Notes
SYSC 12.1.19
See Notes
SYSC 12.1.20
See Notes
SYSC 12.1.21
See Notes
SYSC 12.1.22
See Notes
SYSC 13
Operational risk: systems and controls
SYSC 13.1
Application
- 31/12/2006
SYSC 13.1.1
See Notes
SYSC 13 applies to an insurer unless it is:
- (1) a non-directive friendly society; or
- (2) an incoming EEA firm; or
- (3) an incoming Treaty firm.
SYSC 13.1.2
See Notes
SYSC 13 applies to:
- (1) an EEA-deposit insurer; and
- (2) a Swiss general insurer;
only in respect of the activities of the firm carried on from a branch in the United Kingdom.
SYSC 13.2
Purpose
- 31/12/2006
SYSC 13.2.1
See Notes
SYSC 13.2.2
See Notes
SYSC 13.2.3
See Notes
SYSC 13.2.4
See Notes
- 31/12/2006
SYSC 13.3
Other related Handbook sections
- 31/12/2006
SYSC 13.3.1
See Notes
The following is a non-exhaustive list of rules and guidance in the Handbook that are relevant to a firm's management of operational risk:
- (1) SYSC 14 and INSPRU 5.1 contain specific rules and guidance for the establishment and maintenance of operational risk systems and controls in a prudential context.
- (2) COB contains rules and guidance that can relate to the management of operational risk; for example, COB 2 (Rules which apply to all firms conducting designated investment business), COB 3 (Financial promotion), COB 5 (Advising and selling), COB 7 (Dealing and managing) and COB 9 (Client assets).
SYSC 13.4
Requirements to notify the FSA
- 31/12/2006
- Future version of SYSC 13.4 after 01/04/2013
SYSC 13.4.1
See Notes
SYSC 13.5
Risk management terms
- 31/12/2006
SYSC 13.5.1
See Notes
In this chapter, the following interpretations of risk management terms apply:
- (1) a firm's risk culture encompasses the general awareness, attitude and behaviour of its employees and appointed representatives to risk and the management of risk within the organisation;
- (2) operational exposure means the degree of operational risk faced by a firm and is usually expressed in terms of the likelihood and impact of a particular type of operational loss occurring (for example, fraud, damage to physical assets);
- (3) a firm's operational risk profile describes the types of operational risks that it faces, including those operational risks within a firm that may have an adverse impact upon the quality of service afforded to its clients, and its exposure to these risks.
SYSC 13.6
People
- 31/12/2006
SYSC 13.6.1
See Notes
SYSC 13.6.2
See Notes
A firm should establish and maintain appropriate systems and controls for the management of operational risks that can arise from employees. In doing so, a firm should have regard to:
- (1) its operational risk culture, and any variations in this or its human resource management practices, across its operations (including, for example, the extent to which the compliance culture is extended to in-house IT staff);
- (2) whether the way employees are remunerated exposes the firm to the risk that it will not be able to meet its regulatory obligations (see SYSC 3.2.18 G). For example, a firm should consider how well remuneration and performance indicators reflect the firm's tolerance for operational risk, and the adequacy of these indicators for measuring performance;
- (3) whether inadequate or inappropriate training of client-facing services exposes clients to risk of loss or unfair treatment including by not enabling effective communication with the firm;
- (4) the extent of its compliance with applicable regulatory and other requirements that relate to the welfare and conduct of employees;
- (5) its arrangements for the continuity of operations in the event of employee unavailability or loss;
- (6) the relationship between indicators of 'people risk' (such as overtime, sickness, and employee turnover levels) and exposure to operational losses; and
- (7) the relevance of all the above to employees of a third party supplier who are involved in performing an outsourcing arrangement. As necessary, a firm should review and consider the adequacy of the staffing arrangements and policies of a service provider.
Employee responsibilities
SYSC 13.6.3
See Notes
A firm should ensure that all employees are capable of performing, and aware of, their operational risk management responsibilities, including by establishing and maintaining:
- (1) appropriate segregation of employees' duties and appropriate supervision of employees in the performance of their responsibilities (see SYSC 3.2.5 G);
- (2) appropriate recruitment and subsequent processes to review the fitness and propriety of employees (see SYSC 3.2.13 G and SYSC 3.2.14 G);
- (3) clear policy statements and appropriate systems and procedures manuals that are effectively communicated to employees and available for employees to refer to as required. These should cover, for example, compliance, IT security and health and safety issues;
- (4) training processes that enable employees to attain and maintain appropriate competence; and
- (5) appropriate and properly enforced disciplinary and employment termination policies and procedures.
SYSC 13.6.4
See Notes
SYSC 13.7
Processes and systems
- 31/12/2006
SYSC 13.7.1
See Notes
A firm should establish and maintain appropriate systems and controls for managing operational risks that can arise from inadequacies or failures in its processes and systems (and, as appropriate, the systems and processes of third party suppliers, agents and others). In doing so a firm should have regard to:
- (1) the importance and complexity of processes and systems used in the end-to-end operating cycle for products and activities (for example, the level of integration of systems);
- (2) controls that will help it to prevent system and process failures or identify them to permit prompt rectification (including pre-approval or reconciliation processes);
- (3) whether the design and use of its processes and systems allow it to comply adequately with regulatory and other requirements;
- (4) its arrangements for the continuity of operations in the event that a significant process or system becomes unavailable or is destroyed; and
- (5) the importance of monitoring indicators of process or system risk (including reconciliation exceptions, compensation payments for client losses and documentation errors) and experience of operational losses and exposures.
Internal documentation
SYSC 13.7.2
See Notes
External documentation
SYSC 13.7.3
See Notes
SYSC 13.7.4
See Notes
A firm should ensure the adequacy of its processes and systems to review external documentation prior to issue (including review by its compliance, legal and marketing departments or by appropriately qualified external advisers). In doing so, a firm should have regard to:
- (1) compliance with applicable regulatory and other requirements (such as COB 3 (Financial promotion));
- (2) the extent to which its documentation uses standard terms (that are widely recognised, and have been tested in the courts) or non-standard terms (whose meaning may not yet be settled or whose effectiveness may be uncertain);
- (3) the manner in which its documentation is issued; and
- (4) the extent to which confirmation of acceptance is required (including by customer signature or counterparty confirmation).
IT systems
SYSC 13.7.5
See Notes
SYSC 13.7.6
See Notes
A firm should establish and maintain appropriate systems and controls for the management of its IT system risks, having regard to:
- (1) its organisation and reporting structure for technology operations (including the adequacy of senior management oversight);
- (2) the extent to which technology requirements are addressed in its business strategy;
- (3) the appropriateness of its systems acquisition, development and maintenance activities (including the allocation of responsibilities between IT development and operational areas, processes for embedding security requirements into systems); and
- (4) the appropriateness of its activities supporting the operation of IT systems (including the allocation of responsibilities between business and technology areas).
Information security
SYSC 13.7.7
See Notes
Failures in processing information (whether physical, electronic or known by employees but not recorded) or of the security of the systems that maintain it can lead to significant operational losses. A firm should establish and maintain appropriate systems and controls to manage its information security risks. In doing so, a firm should have regard to:
- (1) confidentiality: information should be accessible only to persons or systems with appropriate authority, which may require firewalls within a system, as well as entry restrictions;
- (2) integrity: safeguarding the accuracy and completeness of information and its processing;
- (3) availability and authentication: ensuring that appropriately authorised persons or systems have access to the information when required and that their identity is verified;
- (4) non-repudiation and accountability: ensuring that the person or system that processed the information cannot deny their actions.
SYSC 13.7.8
See Notes
Geographic location
SYSC 13.7.9
See Notes
Operating processes and systems at separate geographic locations may alter a firm's operational risk profile (including by allowing alternative sites for the continuity of operations). A firm should understand the effect of any differences in processes and systems at each of its locations, particularly if they are in different countries, having regard to:
- (1) the business operating environment of each country (for example, the likelihood and impact of political disruptions or cultural differences on the provision of services);
- (2) relevant local regulatory and other requirements regarding data protection and transfer;
- (3) the extent to which local regulatory and other requirements may restrict its ability to meet regulatory obligations in the United Kingdom (for example, access to information by the FSA and local restrictions on internal or external audit); and
- (4) the timeliness of information flows to and from its headquarters and whether the level of delegated authority and the risk management structures of the overseas operation are compatible with the firm's head office arrangements.
SYSC 13.8
External events and other changes
- 31/12/2006
SYSC 13.8.1
See Notes
The exposure of a firm to operational risk may increase during times of significant change to its organisation, infrastructure and business operating environment (for example, following a corporate restructure or changes in regulatory requirements). Before, during, and after expected changes, a firm should assess and monitor their effect on its risk profile, including with regard to:
- (1) untrained or de-motivated employees or a significant loss of employees during the period of change, or subsequently;
- (2) inadequate human resources or inexperienced employees carrying out routine business activities owing to the prioritisation of resources to the programme or project;
- (3) process or system instability and poor management information due to failures in integration or increased demand; and
- (4) inadequate or inappropriate processes following business re-engineering.
SYSC 13.8.2
See Notes
A firm should establish and maintain appropriate systems and controls for the management of the risks involved in expected changes, such as by ensuring:
- (1) the adequacy of its organisation and reporting structure for managing the change (including the adequacy of senior management oversight);
- (2) the adequacy of the management processes and systems for managing the change (including planning, approval, implementation and review processes); and
- (3) the adequacy of its strategy for communicating changes in systems and controls to its employees.
Unexpected changes and business continuity management
SYSC 13.8.3
See Notes
SYSC 13.8.4
See Notes
SYSC 13.8.5
See Notes
A firm should consider the likelihood and impact of a disruption to the continuity of its operations from unexpected events. This should include assessing the disruptions to which it is particularly susceptible (and the likely timescale of those disruptions) including through:
- (1) loss or failure of internal and external resources (such as people, systems and other assets);
- (2) the loss or corruption of its information; and
- (3) external events (such as vandalism, war and "acts of God").
SYSC 13.8.6
See Notes
SYSC 13.8.7
See Notes
A firm should document its strategy for maintaining continuity of its operations, and its plans for communicating and regularly testing the adequacy and effectiveness of this strategy. A firm should establish:
- (1) formal business continuity plans that outline arrangements to reduce the impact of a short, medium or long-term disruption, including:
- (a) resource requirements such as people, systems and other assets, and arrangements for obtaining these resources;
- (b) the recovery priorities for the firm's operations; and
- (c) communication arrangements for internal and external concerned parties (including the FSA, clients and the press);
- (2) escalation and invocation plans that outline the processes for implementing the business continuity plans, together with relevant contact information;
- (3) processes to validate the integrity of information affected by the disruption;
- (4) processes to review and update (1) to (3) following changes to the firm's operations or risk profile (including changes identified through testing).
SYSC 13.8.8
See Notes
SYSC 13.9
Outsourcing
- 31/12/2006
SYSC 13.9.1
See Notes
SYSC 13.9.2
See Notes
SYSC 13.9.3
See Notes
SYSC 13.9.4
See Notes
Before entering into, or significantly changing, an outsourcing arrangement, a firm should:
- (1) analyse how the arrangement will fit with its organisation and reporting structure; business strategy; overall risk profile; and ability to meet its regulatory obligations;
- (2) consider whether the agreements establishing the arrangement will allow it to monitor and control its operational risk exposure relating to the outsourcing;
- (3) conduct appropriate due diligence of the service provider's financial stability and expertise;
- (4) consider how it will ensure a smooth transition of its operations from its current arrangements to a new or changed outsourcing arrangement (including what will happen on the termination of the contract); and
- (5) consider any concentration risk implications such as the business continuity implications that may arise if a single service provider is used by several firms.
SYSC 13.9.5
See Notes
In negotiating its contract with a service provider, a firm should have regard to:
- (1) reporting or notification requirements it may wish to impose on the service provider;
- (2) whether sufficient access will be available to its internal auditors, external auditors or actuaries (see section 341 of the Act) and to the FSA (see SUP 2.3.5 R (Access to premises) and SUP 2.3.7 R (Suppliers under material outsourcing arrangements);
- (3) information ownership rights, confidentiality agreements and Chinese walls to protect client and other information (including arrangements at the termination of the contract);
- (4) the adequacy of any guarantees and indemnities;
- (5) the extent to which the service provider must comply with the firm's policies and procedures (covering, for example, information security);
- (6) the extent to which a service provider will provide business continuity for outsourced operations, and whether exclusive access to its resources is agreed;
- (7) the need for continued availability of software following difficulty at a third party supplier;
- (8) the processes for making changes to the outsourcing arrangement (for example, changes in processing volumes, activities and other contractual terms) and the conditions under which the firm or service provider can choose to change or terminate the outsourcing arrangement, such as where there is:
- (a) a change of ownership or control (including insolvency or receivership) of the service provider or firm; or
- (b) significant change in the business operations (including sub-contracting) of the service provider or firm; or
- (c) inadequate provision of services that may lead to the firm being unable to meet its regulatory obligations.
SYSC 13.9.6
See Notes
In implementing a relationship management framework, and drafting the service level agreement with the service provider, a firm should have regard to:
- (1) the identification of qualitative and quantitative performance targets to assess the adequacy of service provision, to both the firm and its clients, where appropriate;
- (2) the evaluation of performance through service delivery reports and periodic self certification or independent review by internal or external auditors; and
- (3) remedial action and escalation processes for dealing with inadequate performance.
SYSC 13.9.7
See Notes
SYSC 13.9.8
See Notes
SYSC 13.10
Insurance
- 31/12/2006
SYSC 13.10.1
See Notes
SYSC 13.10.2
See Notes
When considering utilising insurance, a firm should consider:
- (1) the time taken for the insurer to pay claims (including the potential time taken in disputing cover) and the firm's funding of operations whilst awaiting payment of claims;
- (2) the financial strength of the insurer, which may determine its ability to pay claims, particularly where large or numerous small claims are made at the same time; and
- (3) the effect of any limiting conditions and exclusion clauses that may restrict cover to a small number of specific operational losses and may exclude larger or hard to quantify indirect losses (such as lost business or reputational costs).
SYSC 14
Prudential risk management and associated systems and controls
SYSC 14.1
Application
- 31/12/2006
SYSC 14.1.1
See Notes
This section applies to an insurer unless it is:
- (1) a non-directive friendly society; or
- (2) an incoming EEA firm; or
- (3) an incoming Treaty firm.
SYSC 14.1.2
See Notes
This section applies to:
- (1) an EEA-deposit insurer; and
- (2) a Swiss general insurer;
only in respect of the activities of the firm carried on from a branch in the United Kingdom.
Purpose
SYSC 14.1.3
See Notes
SYSC 14.1.4
See Notes
SYSC 14.1.5
See Notes
How to interpret this section
SYSC 14.1.6
See Notes
SYSC 14.1.7
See Notes
SYSC 14.1.8
See Notes
Appropriate systems and controls for the management of prudential risk will vary from firm to firm. Therefore, most of the material in this section is guidance. In interpreting this guidance, a firm should have regard to its own particular circumstances. Following from SYSC 3.1.2 G, this should include considering the nature, scale and complexity of its business, which may be influenced by factors such as:
- (1) the diversity of its operations, including geographical diversity;
- (2) the volume and size of its transactions; and
- (3) the degree of risk associated with each area of its operation.
SYSC 14.1.9
See Notes
The role of systems and controls in a prudential context
SYSC 14.1.10
See Notes
The prudential responsibilities of senior management and the apportionment of those responsibilities
SYSC 14.1.11
See Notes
Ultimate responsibility for the management of prudential risks rests with a firm's governing body and relevant senior managers, and in particular with those individuals that undertake the firm's governing functions and the apportionment and oversight function. In particular, these responsibilities should include:
- (1) overseeing the establishment of an appropriate business plan and risk management strategy;
- (2) overseeing the development of appropriate systems for the management of prudential risks;
- (3) establishing adequate internal controls; and
- (4) ensuring that the firm maintains adequate financial resources.
The delegation of responsibilities within the firm
SYSC 14.1.12
See Notes