SYSC Senior Management Arrangements, Systems and Controls sourcebook

Export part as

SYSC 1

Application and purpose

SYSC 1.1A

Application

SYSC 1.1A.1

See Notes

handbook-guidance
The application of this sourcebook is summarised at a high level in the following table. The detailed application is cut back in SYSC 1 Annex 1 and in the text of each chapter.

SYSC 1.2

Purpose

SYSC 1.2.1

See Notes

handbook-guidance

The purposes of SYSC are:

  1. (1) to encourage firms' directors and senior managers to take appropriate practical responsibility for their firms' arrangements on matters likely to be of interest to the FSA because they impinge on the FSA's functions under the Act;
  2. (2) to increase certainty by amplifying Principle 3, under which a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems;
  3. (3) to encourage firms to vest responsibility for effective and responsible organisation in specific directors and senior managers; and
  4. (4) to create a common platform of organisational and systems and controls requirements for all firms.
  5. (5) [deleted]

What?

SYSC 1.4.1

See Notes

handbook-guidance
The application of each of chapters SYSC 11 to SYSC 19 is set out in those chapters.

Actions for damages

SYSC 1.4.2

See Notes

handbook-rule
A contravention of a rule in SYSC 11 to SYSC 19 does not give rise to a right of action by a private person under section 150 of the Act (and each of those rules is specified under section 150(2) of the Act as a provision giving rise to no such right of action).

SYSC 1 Annex 1

Detailed application of SYSC

Export chapter as

SYSC 2

Senior management arrangements

SYSC 2.1

Apportionment of Responsibilities

SYSC 2.1.1

See Notes

handbook-rule

A firm must take reasonable care to maintain a clear and appropriate apportionment of significant responsibilities among its directors and senior managers in such a way that:

  1. (1) it is clear who has which of those responsibilities; and
  2. (2) the business and affairs of the firm can be adequately monitored and controlled by the directors, relevant senior managers and governing body of the firm.

SYSC 2.1.2

See Notes

handbook-guidance
The role undertaken by a non-executive director will vary from one firm to another. For example, the role of a non-executive director in a friendly society may be more extensive than in other firms. Where a non-executive director is an approved person, for example where the firm is a body corporate, his responsibility and therefore liability will be limited by the role that he undertakes. Provided that he has personally taken due care in his role, a non-executive director would not be held discipliniarily liable either for the failings of the firm or for those of individuals within the firm. The non-executive director function, for the purposes of the approved persons regime, is described in SUP 10.

SYSC 2.1.3

See Notes

handbook-rule

A firm must appropriately allocate to one or more individuals, in accordance with SYSC 2.1.4 R, the functions of:

  1. (1) dealing with the apportionment of responsibilities under SYSC 2.1.1 R; and
  2. (2) overseeing the establishment and maintenance of systems and controls under SYSC 3.1.1 R.

SYSC 2.1.4

See Notes

handbook-rule

Allocation of functions

This table belongs to SYSC 2.1.3 R

SYSC 2.1.5

See Notes

handbook-guidance
SYSC 2.1.3 R and SYSC 2.1.4 R give a firm some flexibility in the individuals to whom the functions may be allocated. It will be common for both the functions to be allocated solely to the firm's chief executive. SYSC 2.1.6 G contains further guidance on the requirements of SYSC 2.1.3 R and SYSC 2.1.4 R in a question and answer form.

SYSC 2.1.6

See Notes

handbook-guidance

Frequently asked questions about allocation of functions in SYSC 2.1.3 R

This table belongs to SYSC 2.1.5 G

SYSC 2.2

Recording the apportionment

SYSC 2.2.1

See Notes

handbook-rule
  1. (1) A firm must make a record of the arrangements it has made to satisfy SYSC 2.1.1 R (apportionment) and SYSC 2.1.3 R (allocation) and take reasonable care to keep this up to date.
  2. (2) This record must be retained for six years from the date on which it was superseded by a more up-to-date record.

SYSC 2.2.2

See Notes

handbook-guidance
  1. (1) A firm will be able to comply with SYSC 2.2.1 R by means of records which it keeps for its own purposes provided these records satisfy the requirements of SYSC 2.2.1 R and provided the firm takes reasonable care to keep them up to date. Appropriate records might, for this purpose, include organisational charts and diagrams, project management documents, job descriptions, committee constitutions and terms of reference provided they show a clear description of the firm's major functions.
  2. (2) Firms should record any material change to the arrangements described in SYSC 2.2.1 R as soon as reasonably practicable after that change has been made.

SYSC 2.2.3

See Notes

handbook-guidance
Where responsibilities have been allocated to more than one individual, the firm's record should show clearly how those responsibilities are shared or divided between the individuals concerned.

Export chapter as

SYSC 3

Systems and Controls

SYSC 3.1

Systems and Controls

SYSC 3.1.1

See Notes

handbook-rule
A firm must take reasonable care to establish and maintain such systems and controls as are appropriate to its business.

SYSC 3.1.2

See Notes

handbook-guidance
  1. (1) The nature and extent of the systems and controls which a firm will need to maintain under SYSC 3.1.1 R will depend upon a variety of factors including:
    1. (a) the nature, scale and complexity of its business;
    2. (b) the diversity of its operations, including geographical diversity;
    3. (c) the volume and size of its transactions; and
    4. (d) the degree of risk associated with each area of its operation.
  2. (2) To enable it to comply with its obligation to maintain appropriate systems and controls, a firm should carry out a regular review of them.
  3. (3) The areas typically covered by the systems and controls referred to in SYSC 3.1.1 R are those identified in SYSC 3.2. Detailed requirements regarding systems and controls relevant to particular business areas or particular types of firm are covered elsewhere in the Handbook.

SYSC 3.1.3

See Notes

handbook-guidance
Where the UK Corporate Governance Code is relevant to a firm, the FSA, in considering whether the firm's obligations under SYSC 3.1.1 R have been met, will give it due credit for following corresponding provisions in the codeand related guidance.

SYSC 3.1.4

See Notes

handbook-guidance
A firm has specific responsibilities regarding its appointed representatives or, where applicable, its tied agents (see SUP 12).

SYSC 3.1.5

See Notes

handbook-guidance
SYSC 2.1.3 R (2) prescribes how a firm must allocate the function of overseeing the establishment and maintenance of systems and controls described in SYSC 3.1.1 R.

SYSC 3.1.6

See Notes

handbook-rule
A firm which is not a common platform firm must employ personnel with the skills, knowledge and expertise necessary for the discharge of the responsibilities allocated to them.

SYSC 3.1.7

See Notes

handbook-rule
When complying with the competent employees rules, a firm must take into account the nature, scale and complexity of its business and the nature and range of financial services and activities undertaken in the course of that business.

SYSC 3.1.8

See Notes

handbook-guidance
The Training and Competence sourcebook (TC) contains additional rules and guidance relating to specified retail activities undertaken by a firm.

SYSC 3.1.9

See Notes

handbook-guidance
Firms which are carrying on activities that are not subject to TC may nevertheless wish to take TC into account in complying with the training and competence requirements in SYSC.

SYSC 3.1.10

See Notes

handbook-guidance
If a firm requires employees who are not subject to an examination requirement to pass a relevant examination from the list of recommended examinations maintained by the Financial Services Skills Council, the FSA will take that into account when assessing whether the firm has ensured that the employee satisfies the knowledge component of the competent employees rule.

SYSC 3.2

Areas covered by systems and controls

Introduction

SYSC 3.2.1

See Notes

handbook-guidance
This section covers some of the main issues which a firm is expected to consider in establishing and maintaining the systems and controls appropriate to its business, as required by SYSC 3.1.1 R.

Organisation

SYSC 3.2.2

See Notes

handbook-guidance
A firm's reporting lines should be clear and appropriate having regard to the nature, scale and complexity of its business. These reporting lines, together with clear management responsibilities, should be communicated as appropriate within the firm.

SYSC 3.2.3

See Notes

handbook-guidance
  1. (1) A firm's governing body is likely to delegate many functions and tasks for the purpose of carrying out its business. When functions or tasks are delegated, either to employees or to appointed representatives or, where applicable, its tied agents, appropriate safeguards should be put in place.
  2. (2) When there is delegation, a firm should assess whether the recipient is suitable to carry out the delegated function or task, taking into account the degree of responsibility involved.
  3. (3) The extent and limits of any delegation should be made clear to those concerned.
  4. (4) There should be arrangements to supervise delegation, and to monitor the discharge of delegates functions or tasks.
  5. (5) If cause for concern arises through supervision and monitoring or otherwise, there should be appropriate follow-up action at an appropriate level of seniority within the firm.

SYSC 3.2.4

See Notes

handbook-guidance
  1. (1) The guidance relevant to delegation within the firm is also relevant to external delegation ('outsourcing'). A firm cannot contract out its regulatory obligations. So, for example, under Principle 3 a firm should take reasonable care to supervise the discharge of outsourced functions by its contractor.
  2. (2) A firm should take steps to obtain sufficient information from its contractor to enable it to assess the impact of outsourcing on its systems and controls.

SYSC 3.2.5

See Notes

handbook-guidance
Where it is made possible and appropriate by the nature, scale and complexity of its business, a firm should segregate the duties of individuals and departments in such a way as to reduce opportunities for financial crime or contravention of requirements and standards under the regulatory system. For example, the duties of front-office and back-office staff should be segregated so as to prevent a single individual initiating, processing and controlling transactions.

SYSC 3.2.5A

See Notes

handbook-rule
An overseasbank must ensure that at least two individuals effectively direct its business.

SYSC 3.2.5B

See Notes

handbook-guidance
In the case of an overseasbank, the FSA assesses whether at least two individuals effectively direct the business of the bank (and not just the business of its branch in the United Kingdom). The FSA also takes into account the manner in which management decisions are taken in the United Kingdom branch in assessing the adequacy of the overseas bank's systems and controls.

Systems and controls in relation to compliance, financial crime and money laundering

SYSC 3.2.6

See Notes

handbook-rule
A firm must take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that the firm might be used to further financial crime.

SYSC 3.2.6A

See Notes

handbook-rule

A firm must ensure that these systems and controls:

  1. (1) enable it to identify, assess, monitor and manage money laundering risk; and
  2. (2) are comprehensive and proportionate to the nature, scale and complexity of its activities.

SYSC 3.2.6B

See Notes

handbook-guidance
"Money laundering risk" is the risk that a firm may be used to further money laundering. Failure by a firm to manage this risk effectively will increase the risk to society of crime and terrorism.

SYSC 3.2.6C

See Notes

handbook-rule
A firm must carry out regular assessments of the adequacy of these systems and controls to ensure that it continues to comply with SYSC 3.2.6A R.

SYSC 3.2.6D

See Notes

handbook-guidance
A firm may also have separate obligations to comply with relevant legal requirements, including the Terrorism Act 2000, the Proceeds of Crime Act 2002 and the Money Laundering Regulations. SYSC 3.2.6 R to SYSC 3.2.6J G are not relevant for the purposes of regulation 42(3) or 45(2)of the Money Laundering Regulations, section 330(8) of the Proceeds of Crime Act 2002 or section 21A(6) of the Terrorism Act 2000.

SYSC 3.2.6E

See Notes

handbook-guidance
The FSA, when considering whether a breach of its rules on systems and controls against money laundering has occurred, will have regard to whether a firm has followed relevant provisions in the guidance for the UK financial sector issued by the Joint Money Laundering Steering Group.

SYSC 3.2.6F

See Notes

handbook-guidance

In identifying its money laundering risk and in establishing the nature of these systems and controls, a firm should consider a range of factors, including:

  1. (1) its customer, product and activity profiles;
  2. (2) its distribution channels;
  3. (3) the complexity and volume of its transactions;
  4. (4) its processes and systems; and
  5. (5) its operating environment.

SYSC 3.2.6G

See Notes

handbook-guidance

A firm should ensure that the systems and controls include:

  1. (1) appropriate training for its employees in relation to money laundering;
  2. (2) appropriate provision of information to its governing body and senior management, including a report at least annually by that firm's money laundering reporting officer (MLRO) on the operation and effectiveness of those systems and controls;
  3. (3) appropriate documentation of its risk management policies and risk profile in relation to money laundering, including documentation of its application of those policies (see SYSC 3.2.20 R to SYSC 3.2.22 G);
  4. (4) appropriate measures to ensure that money laundering risk is taken into account in its day-to-day operation, including in relation to:
    1. (a) the development of new products;
    2. (b) the taking-on of new customers; and
    3. (c) changes in its business profile; and
  5. (5) appropriate measures to ensure that procedures for identification of new customers do not unreasonably deny access to its services to potential customers who cannot reasonably be expected to produce detailed evidence of identity.

SYSC 3.2.6H

See Notes

handbook-rule
A firm must allocate to a director or senior manager (who may also be the money laundering reporting officer) overall responsibility within the firm for the establishment and maintenance of effective anti-money laundering systems and controls.

The money laundering reporting officer

SYSC 3.2.6I

See Notes

handbook-rule

A firm must:

  1. (1) appoint an individual as MLRO, with responsibility for oversight of its compliance with the FSA's rules on systems and controls against money laundering; and
  2. (2) ensure that its MLRO has a level of authority and independence within the firm and access to resources and information sufficient to enable him to carry out that responsibility.

SYSC 3.2.6J

See Notes

handbook-guidance
The job of the MLRO within a firm is to act as the focal point for all activity within the firm relating to anti-money laundering. The FSA expects that a firm's MLRO will be based in the United Kingdom.

The compliance function

SYSC 3.2.7

See Notes

handbook-guidance
  1. (1) Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to have a separate compliance function. The organisation and responsibilities of a compliance function should be documented. A compliance function should be staffed by an appropriate number of competent staff who are sufficiently independent to perform their duties objectively. It should be adequately resourced and should have unrestricted access to the firm's relevant records as well as ultimate recourse to its governing body.
  2. (2) [deleted]
  3. (3) [deleted]

SYSC 3.2.8

See Notes

handbook-rule
  1. (1) A firm which carries on designated investment business with or for retail clients or professional clients must allocate to a director or senior manager the function of:
    1. (a) having responsibility for oversight of the firm's compliance; and
    2. (b) reporting to the governing body in respect of that responsibility.
  2. (2) In (1) "compliance" means compliance with the rules in:
    1. (a) COBS (Conduct of Business);
    2. (b) COLL ( Collective Investment Schemes sourcebook); and
    3. (c) CASS (Client Assets)

SYSC 3.2.9

See Notes

handbook-guidance
  1. (1) SUP 10.7.8 R uses SYSC 3.2.8 R to describe the controlled function, known as the compliance oversight function, of acting in the capacity of a director or senior manager to whom this function is allocated.
  2. (2) The rules referred to in SYSC 3.2.8 R (2) are the minimum area of focus for the firm's compliance oversight function. A firm is free to give additional responsibilities to a person performing this function if it wishes.

Risk assessment

SYSC 3.2.10

See Notes

handbook-guidance
  1. (1) Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to have a separate risk assessment function responsible for assessing the risks that the firm faces and advising the governing body and senior managers on them.
  2. (2) The organisation and responsibilities of a risk assessment function should be documented. The function should be adequately resourced and staffed by an appropriate number of competent staff who are sufficiently independent to perform their duties objectively.
  3. (3) The term 'risk assessment function' refers to the generally understood concept of risk assessment within a firm, that is, the function of setting and controlling risk exposure. The risk assessment function is not a controlled function itself, but is part of the systems and controls function (CF28).

Management information

SYSC 3.2.11

See Notes

handbook-guidance
  1. (1) A firm's arrangements should be such as to furnish its governing body with the information it needs to play its part in identifying, measuring, managing and controlling risks of regulatory concern. Three factors will be the relevance, reliability and timeliness of that information.
  2. (2) Risks of regulatory concern are those risks which relate to the fair treatment of the firm's customers, to the protection of consumers, to confidence in the UK financial system, to the use of that system in connection with financial crime, and to financial stability.

SYSC 3.2.12

See Notes

handbook-guidance
It is the responsibility of the firm to decide what information is required, when, and for whom, so that it can organise and control its activities and can comply with its regulatory obligations. The detail and extent of information required will depend on the nature, scale and complexity of the business.

Employees and agents

SYSC 3.2.13

See Notes

handbook-guidance
A firm's systems and controls should enable it to satisfy itself of the suitability of anyone who acts for it.

SYSC 3.2.14

See Notes

handbook-guidance
  1. (1) SYSC 3.2.13 G includes assessing an individual's honesty, and competence. This assessment should normally be made at the point of recruitment. An individual's honesty need not normally be revisited unless something happens to make a fresh look appropriate.
  2. (2) Any assessment of an individual's suitability should take into account the level of responsibility that the individual will assume within the firm. The nature of this assessment will generally differ depending upon whether it takes place at the start of the individual's recruitment, at the end of the probationary period (if there is one) or subsequently.
  3. (3) [deleted]
  4. (4) The requirements on firms with respect to approved persons are in Part V of the Act (Performance of regulated activities) and SUP 10.

Audit committee

SYSC 3.2.15

See Notes

handbook-guidance
Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to form an audit committee. An audit committee could typically examine management's process for ensuring the appropriateness and effectiveness of systems and controls, examine the arrangements made by management to ensure compliance with requirements and standards under the regulatory system, oversee the functioning of the internal audit function (if applicable - see SYSC 3.2.16 G) and provide an interface between management and the external auditors. It should have an appropriate number of non-executive directors and it should have formal terms of reference.

Internal audit

SYSC 3.2.16

See Notes

handbook-guidance
  1. (1) Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to delegate much of the task of monitoring the appropriateness and effectiveness of its systems and controls to an internal audit function. An internal audit function should have clear responsibilities and reporting lines to an audit committee or appropriate senior manager, be adequately resourced and staffed by competent individuals, be independent of the day-to-day activities of the firm and have appropriate access to a firm's records.
  2. (2) The term 'internal audit function' refers to the generally understood concept of internal audit within a firm, that is, the function of assessing adherence to and the effectiveness of internal systems and controls, procedures and policies. The internal audit function is not a controlled function itself, but is part of the systems and controls function (CF28).

Business strategy

SYSC 3.2.17

See Notes

handbook-guidance

A firm should plan its business appropriately so that it is able to identify, measure, manage and control risks of regulatory concern (see SYSC 3.2.11 G (2)). In some firms, depending on the nature, scale and complexity of their business, it may be appropriate to have business plans or strategy plans documented and updated on a regular basis to take account of changes in the business environment.

Remuneration policies

SYSC 3.2.18

See Notes

handbook-guidance

It is possible that firms' remuneration policies will from time to time lead to tensions between the ability of the firm to meet the requirements and standards under the regulatory system and the personal advantage of those who act for it. Where tensions exist, these should be appropriately managed.

Business continuity

SYSC 3.2.19

See Notes

handbook-guidance

A firm should have in place appropriate arrangements, having regard to the nature, scale and complexity of its business, to ensure that it can continue to function and meet its regulatory obligations in the event of an unforeseen interruption. These arrangements should be regularly updated and tested to ensure their effectiveness.

Records

SYSC 3.2.20

See Notes

handbook-rule
  1. (1) A firm must take reasonable care to make and retain adequate records of matters and dealings (including accounting records) which are the subject of requirements and standards under the regulatory system.
  2. (2) Subject to (3) and to any other record-keeping rule in the Handbook, the records required by (1) or by such other rule must be capable of being reproduced in the English language on paper.
  3. (3) If a firm's records relate to business carried on from an establishment in a country or territory outside the United Kingdom, an official language of that country or territory may be used instead of the English language as required by (2).

SYSC 3.2.21

See Notes

handbook-guidance

A firm should have appropriate systems and controls in place to fulfil the firm's regulatory and statutory obligations with respect to adequacy, access, periods of retention and security of records. The general principle is that records should be retained for as long as is relevant for the purposes for which they are made.

SYSC 3.2.22

See Notes

handbook-guidance

Detailed record-keeping requirements for different types of firm are to be found elsewhere in the Handbook. Schedule 1 to the Handbook is a consolidated schedule of these requirements.

Export chapter as

SYSC 4

General organisational requirements

SYSC 4.1

General requirements

SYSC 4.1.1

See Notes

handbook-rule

A firm must have robust governance arrangements, which include a clear organisational structure with well defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks it is or might be exposed to, and internal control mechanisms, including sound administrative and accounting procedures and effective control and safeguard arrangements for information processing systems.

[Note: article 22(1) of the Banking Consolidation Directive, article 13(5) second paragraph of MiFID]

SYSC 4.1.2

See Notes

handbook-rule

For a common platform firm, the arrangements, processes and mechanisms referred to in SYSC 4.1.1 R must be comprehensive and proportionate to the nature, scale and complexity of the common platform firm's activities and must take into account the specific technical criteria described in SYSC 4.1.7 R, SYSC 5.1.7 R and SYSC 7 .

[Note: article 22(2) of the Banking Consolidation Directive]

SYSC 4.1.2A

See Notes

handbook-guidance

Other firms should take account of the comprehensiveness and proportionality rule (SYSC 4.1.2 R) as if it were guidance (and as if "should" appeared in that rule instead of "must") as explained in SYSC 1 Annex 1.3.3 G but a firm with an interim RSRB permission to the extent that it carries on regulated sale and rent back activity, need not take into account the specific technical criteria described in SYSC 4.1.7 R, SYSC 5.1.7 R and SYSC 7.

SYSC 4.1.3

See Notes

handbook-rule

A BIPRU firm must ensure that its internal control mechanisms and administrative and accounting procedures permit the verification of its compliance with rules adopted in accordance with the Capital Adequacy Directive at all times.

[Note: article 35(1) final sentence of the Capital Adequacy Directive]

SYSC 4.1.4

See Notes

handbook-rule

A firm (with the exception of a sole trader who does not employ any person who is required to be approved under section 59 of the Act (Approval for particular arrangements)) must, taking into account the nature, scale and complexity of the business of the firm, and the nature and range of the (for a common platform firm) investment services and activities or (for every other firm) financial services and activities undertaken in the course of that business:

  1. (1) (if it is a common platform firm) establish, implement and maintain decision-making procedures and an organisational structure which clearly and in a documented manner specifies reporting lines and allocates functions and responsibilities;
  2. (2) establish, implement and maintain adequate internal control mechanisms designed to secure compliance with decisions and procedures at all levels of the firm; and
  3. (3) (if it is a common platform firm) establish, implement and maintain effective internal reporting and communication of information at all relevant levels of the firm.

[Note: articles 5(1) final paragraph, 5(1)(a), 5(1)(c) and 5(1)(e) of the MiFID implementing Directive]

SYSC 4.1.4A

See Notes

handbook-guidance

A firm that is not a common platform firm should take into account the decision-making procedures and effective internal reporting rules (SYSC 4.1.4R (1) and (3) ) as if they were guidance (and as if "should" appeared in those rules instead of "must") as explained in SYSC 1 Annex 1.3.3 G.

SYSC 4.1.5

See Notes

handbook-rule

A MiFID investment firm must establish, implement and maintain systems and procedures that are adequate to safeguard the security, integrity and confidentiality of information, taking into account the nature of the information in question.

[Note: article 5(2) of the MiFID implementing Directive]

Business continuity

SYSC 4.1.6

See Notes

handbook-rule

A common platform firm must take reasonable steps to ensure continuity and regularity in the performance of its regulated activities. To this end the common platform firm must employ appropriate and proportionate systems, resources and procedures.

[Note: article 13(4) of MiFID]

SYSC 4.1.7

See Notes

handbook-rule

A common platform firm must establish, implement and maintain an adequate business continuity policy aimed at ensuring, in the case of an interruption to its systems and procedures, that any losses are limited, the preservation of essential data and functions, and the maintenance of its regulated activities, or, where that is not possible, the timely recovery of such data and functions and the timely resumption of its regulated activities.

[Note: article 5(3) of the MiFID implementing Directive and annex V paragraph 13 of the Banking Consolidation Directive]

SYSC 4.1.7A

See Notes

handbook-guidance

Other firms should take account of the business continuity rules (SYSC 4.1.6 R and 4.1.7 R) as if they were guidance (and as if "should" appeared in those rules instead of "must") as explained in SYSC 1 Annex 1.3.3 G.

SYSC 4.1.8

See Notes

handbook-guidance

The matters dealt with in a business continuity policy should include:

  1. (1) resource requirements such as people, systems and other assets, and arrangements for obtaining these resources;
  2. (2) the recovery priorities for the firm's operations;
  3. (3) communication arrangements for internal and external concerned parties (including the FSA , clients and the press);
  4. (4) escalation and invocation plans that outline the processes for implementing the business continuity plans, together with relevant contact information;
  5. (5) processes to validate the integrity of information affected by the disruption; and
  6. (6) regular testing of the business continuity policy in an appropriate and proportionate manner in accordance with SYSC 4.1.10 R.

SYSC 4.1.8A

See Notes

handbook-rule

An operator of an electronic system in relation to lending must take reasonable steps to ensure that arrangements are in place to ensure that P2P agreements facilitated by it will continue to be managed and administered, in accordance with the contract terms, if at any time it ceases to carry on the activity of operating an electronic system in relation to lending

Accounting policies

SYSC 4.1.9

See Notes

handbook-rule

A common platform firm must establish, implement and maintain accounting policies and procedures that enable it, at the request of the FSA, to deliver in a timely manner to the FSA financial reports which reflect a true and fair view of its financial position and which comply with all applicable accounting standards and rules.

[Note: article 5(4) of the MiFID implementing Directive]

Regular monitoring

SYSC 4.1.10

See Notes

handbook-rule

A common platform firm must monitor and, on a regular basis, evaluate the adequacy and effectiveness of its systems, internal control mechanisms and arrangements established in accordance with SYSC 4.1.4 R to SYSC 4.1.9 R and take appropriate measures to address any deficiencies.

[Note: article 5(5) of the MiFID implementing Directive]

SYSC 4.1.10A

See Notes

handbook-guidance

Other firms should take account of the regular monitoring rule (SYSC 4.1.10 R) as if it were guidance (and as if "should" appeared in that rule instead of "must") as explained in SYSC 1 Annex 1.3.3 G, but ignoring the cross-reference to SYSC 4.1.5 R and 4.1.9 R.

Audit committee

SYSC 4.1.11

See Notes

handbook-guidance

Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to form an audit committee. An audit committee could typically examine management's process for ensuring the appropriateness and effectiveness of systems and controls, examine the arrangements made by management to ensure compliance with requirements and standards under the regulatory system, oversee the functioning of the internal audit function (if applicable) and provide an interface between management and external auditors. It should have an appropriate number of non-executive directors and it should have formal terms of reference.

Remuneration policies

SYSC 4.1.12

See Notes

handbook-guidance

Certain banks, building societies and BIPRU 730k firms will need to comply with the Remuneration Code requirement to establish, implement and maintain an effective remuneration policy that is consistent with effective risk management. See SYSC 19.1 for details of the application of the Remuneration Code.

SYSC 4.2

Persons who effectively direct the business

SYSC 4.2.1

See Notes

handbook-rule

The senior personnel of a common platform firm or of the UK branch of a non-EEA bank must be of sufficiently good repute and sufficiently experienced as to ensure the sound and prudent management of the firm.

[Note: article 9(1) of MiFID and article 11(1) second paragraph of the Banking Consolidation Directive]

SYSC 4.2.1A

See Notes

handbook-guidance

Other firms should take account of the senior personnel rule (SYSC 4.2.1 R) as if it were guidance (and as if "should" appeared in that rule instead of "must") as explained in SYSC 1 Annex 1.3.3 G.

SYSC 4.2.2

See Notes

handbook-rule

A common platform firm and the UK branch of a non-EEA bank must ensure that its management is undertaken by at least two persons meeting the requirements laid down in SYSC 4.2.1 R.

[Note: article 9(4) first paragraph of MiFID and article 11(1) first paragraph of the Banking Consolidation Directive]

SYSC 4.2.3

See Notes

handbook-guidance

In the case of a body corporate, the persons referred to in SYSC 4.2.2 R should either be executive directors or persons granted executive powers by, and reporting immediately to, the governing body. In the case of a partnership, they should be active partners.

SYSC 4.2.4

See Notes

handbook-guidance

At least two independent minds should be applied to both the formulation and implementation of the policies of a common platform firm and the UK branch of a non-EEA bank. Where such a firm nominates just two individuals to direct its business, the FSA will not regard them as both effectively directing the business where one of them makes some, albeit significant, decisions relating to only a few aspects of the business. Each should play a part in the decision-making process on all significant decisions. Both should demonstrate the qualities and application to influence strategy, day-to-day policy and its implementation. This does not require their day-to-day involvement in the execution and implementation of policy. It does, however, require involvement in strategy and general direction, as well as knowledge of, and influence on, the way in which strategy is being implemented through day-to-day policy.

SYSC 4.2.5

See Notes

handbook-guidance

Where there are more than two individuals directing the business of a common platform firm or the UK branch of a non-EEA bank, the FSA does not regard it as necessary for all of these individuals to be involved in all decisions relating to the determination of strategy and general direction. However, at least two individuals should be involved in all such decisions. Both individuals' judgement should be engaged so that major errors leading to difficulties for the firm are less likely to occur. Similarly, each individual should have sufficient experience and knowledge of the business and the necessary personal qualities and skills to detect and resist any imprudence, dishonesty or other irregularities by the other individual. Where a single individual, whether a chief executive, managing director or otherwise, is particularly dominant in such a firm this will raise doubts about whether SYSC 4.2.2 R is met.

SYSC 4.2.6

See Notes

handbook-rule

If a common platform firm, (other than a credit institution) or the UK branch of a non-EEA bank, is:

  1. (1) a natural person; or
  2. (2) a legal person managed by a single natural person;

it must have alternative arrangements in place which ensure sound and prudent management of the firm.

[Note: article 9(4) second paragraph of MiFID]

SYSC 4.3

Responsibility of senior personnel

SYSC 4.3.1

See Notes

handbook-rule

A firm (with the exception of a sole trader who does not employ any person who is required to be approved under section 59 of the Act (Approval for particular arrangements)), when allocating functions internally, must ensure that senior personnel and, where appropriate, the supervisory function, are responsible for ensuring that the firm complies with its obligations under the regulatory system. In particular, senior personnel and, where appropriate, the supervisory function must assess and periodically review the effectiveness of the policies, arrangements and procedures put in place to comply with the firm's obligations under the regulatory system and take appropriate measures to address any deficiencies.

[Note: article 9(1) of the MiFID implementing Directive]

SYSC 4.3.2

See Notes

handbook-rule

A common platform firm (with the exception of a sole trader who does not employ any person who is required to be approved under section 59 of the Act (Approval for particular arrangements)), must ensure that:

  1. (1) its senior personnel receive on a frequent basis, and at least annually, written reports on the matters covered by SYSC 6.1.2 R to SYSC 6.1.5 R, SYSC 6.2.1 R and SYSC 7.1.2 R, SYSC 7.1.3 R and SYSC 7.1.5 R to SYSC 7.1.7 R, indicating in particular whether the appropriate remedial measures have been taken in the event of any deficiencies; and
  2. (2) the supervisory function, if any, receives on a regular basis written reports on the same matters.

[Note: article 9(2) and article 9(3) of the MiFID implementing Directive]

SYSC 4.3.2A

See Notes

handbook-guidance

Other firms should take account of the written reports rule (SYSC 4.3.2 R) as if it were guidance (and as if "should" appeared in that rule instead of "must") as explained in SYSC 1 Annex 1.3.3 G.

SYSC 4.3.3

See Notes

handbook-guidance

The supervisory function does not include a general meeting of the shareholders of a firm , or equivalent bodies, but could involve, for example, a separate supervisory board within a two-tier board structure or the establishment of a non-executive committee of a single-tier board structure.

SYSC 4.4

Apportionment of responsibilities

Application

SYSC 4.4.1

See Notes

handbook-rule

This section applies to:

  1. (1) an authorised professional firm in respect of its non-mainstream regulated activities unless the firm is also conducting other regulated activities and has appointed approved persons to perform the governing functions with equivalent responsibilities for the firm's non-mainstream regulated activities and other regulated activities;
  2. (2) activities carried on by a firm whose principal purpose is to carry on activities other than regulated activities and which is:
    1. (a) an oil market participant; or
    2. (b) a service company; or
    3. (c) an energy market participant; or
    4. (d) a wholly-owned subsidiary of:
      1. (i) a local authority; or
      2. (ii) a registered social landlord; or
    5. (e) a firm with permission to carry on insurance mediation activity in relation to non-investment insurance contracts but no other regulated activity;
  3. (3) [deleted]
  4. (4) [deleted]
  5. (5) [deleted]
    1. (a) [deleted]
    2. (b) [deleted]
  6. (6) [deleted]
  7. (7) an incoming Treaty firm, an incoming EEA firm or a UCITS qualifier (but only SYSC 4.4.5R (2) applies for these firms); and
  8. (8) a sole trader, but only if he employs any person who is required to be approved under section 59 of the Act (Approval for particular arrangements).

SYSC 4.4.1A

See Notes

handbook-rule

SYSC 4.4.3 R (Maintaining a clear and appropriate apportionment) also applies to a firm with an interim RSRB permission to the extent that it carries on regulated sale and rent back activity.

SYSC 4.4.2

See Notes

handbook-guidance

This section does not apply to a common platform firm.

Maintaining a clear and appropriate apportionment

SYSC 4.4.3

See Notes

handbook-rule

A firm must take reasonable care to maintain a clear and appropriate apportionment of significant responsibilities among its directors and senior managers in such a way that:

  1. (1) it is clear who has which of those responsibilities; and
  2. (2) the business and affairs of the firm can be adequately monitored and controlled by the directors, relevant senior managers and governing body of the firm.

SYSC 4.4.4

See Notes

handbook-guidance

The role undertaken by a non-executive director will vary from one firm to another. Where a non-executive director is an approved person, for example where the firm is a body corporate, his responsibility and therefore liability will be limited by the role that he undertakes. Provided that he has personally taken due care in his role, a non-executive director would not be held disciplinarily liable either for the failings of the firm or for those of individuals within the firm. The non-executive director function, for the purposes of the approved persons regime is described in SUP 10.

Allocating functions of apportionment and oversight

SYSC 4.4.5

See Notes

handbook-rule

A firm must appropriately allocate to one or more individuals, in accordance with the following table, the functions of:

  1. (1) dealing with the apportionment of responsibilities under SYSC 4.4.3 R; and
  2. (2) overseeing the establishment and maintenance of systems and controls under SYSC 4.1.1 R.

SYSC 4.4.6

See Notes

handbook-guidance

Frequently asked questions about allocation of functions in SYSC 4.4.5 R

Export chapter as

SYSC 5

Employees, agents and other relevant persons

SYSC 5.1

Skills, knowledge and expertise

SYSC 5.1.1

See Notes

handbook-rule

A firm must employ personnel with the skills, knowledge and expertise necessary for the discharge of the responsibilities allocated to them.

[Note: article 5(1)(d) of the MiFID implementing Directive]

SYSC 5.1.2

See Notes

handbook-guidance
A firm's systems and controls should enable it to satisfy itself of the suitability of anyone who acts for it. This includes assessing an individual's honesty and competence. This assessment should normally be made at the point of recruitment. An individual's honesty need not normally be revisited unless something happens to make a fresh look appropriate.

SYSC 5.1.3

See Notes

handbook-guidance
Any assessment of an individual's suitability should take into account the level of responsibility that the individual will assume within the firm. The nature of this assessment will generally differ depending upon whether it takes place at the start of the individual's recruitment, at the end of the probationary period (if there is one) or subsequently.

SYSC 5.1.4

See Notes

handbook-guidance
The Training and Competence sourcebook (TC) contains additional rules and guidance relating to specified retail activities undertaken by a firm.

SYSC 5.1.4A

See Notes

handbook-guidance
Firms which are carrying on activities that are not subject to TC may nevertheless wish to take TC into account in complying with the training and competence requirements in SYSC.

SYSC 5.1.5

See Notes

handbook-guidance
The requirements on firms with respect to approved persons are in Part V of the Act (Performance of regulated activities) and SUP 10 .

SYSC 5.1.5A

See Notes

handbook-guidance
If a firm requires employees who are not subject to an examination requirement in TC to pass a relevant examination from the list of recommended examinations maintained by the Financial Services Skills Council, the FSA will take that into account when assessing whether the firm has ensured that the employee satisfies the knowledge component of the competent employees rule.

Segregation of functions

SYSC 5.1.6

See Notes

handbook-rule

A common platform firm must ensure that the performance of multiple functions by its relevant persons does not and is not likely to prevent those persons from discharging any particular functions soundly, honestly and professionally.

[Note: article 5(1)(g) of the MiFID implementing Directive]

SYSC 5.1.7

See Notes

handbook-rule

The senior personnel of a common platform firm must define arrangements concerning the segregation of duties within the firm and the prevention of conflicts of interest.

[Note:annex V paragraph 1 of the Banking Consolidation Directive]

SYSC 5.1.7A

See Notes

handbook-guidance
Other firms should take account of the segregation of functions rules (SYSC 5.1.6 R and SYSC 5.1.7 R) as if they were guidance (and as if should appeared in those rules instead of must) as explained in SYSC 1 Annex 1.3.3 G.

SYSC 5.1.8

See Notes

handbook-guidance
The effective segregation of duties is an important element in the internal controls of a firm in the prudential context. In particular, it helps to ensure that no one individual is completely free to commit a firm's assets or incur liabilities on its behalf. Segregation can also help to ensure that a firm'sgoverning body receives objective and accurate information on financial performance, the risks faced by the firm and the adequacy of its systems.

SYSC 5.1.9

See Notes

handbook-guidance

A firm should normally ensure that no single individual has unrestricted authority to do all of the following:

  1. (1) initiate a transaction;
  2. (2) bind the firm;
  3. (3) make payments; and
  4. (4) account for it.

SYSC 5.1.10

See Notes

handbook-guidance
Where a firm is unable to ensure the complete segregation of duties (for example, because it has a limited number of staff), it should ensure that there are adequate compensating controls in place (for example, frequent review of an area by relevant senior managers).

SYSC 5.1.11

See Notes

handbook-guidance

Where a common platform firm outsources its internal audit function, it should take reasonable steps to ensure that every individual involved in the performance of this service is independent from the individuals who perform its external audit. This should not prevent services from being undertaken by a firm's external auditors provided that:

  1. (1) the work is carried out under the supervision and management of the firm's own internal staff; and
  2. (2) potential conflicts of interest between the provision of external audit services and the provision of internal audit are properly managed.

Awareness of procedures

SYSC 5.1.12

See Notes

handbook-rule

A common platform firm must ensure that its relevant persons are aware of the procedures which must be followed for the proper discharge of their responsibilities.

[Note: article 5(1)(b) of the MiFID implementing Directive]

SYSC 5.1.12A

See Notes

handbook-guidance
Other firms should take account of the rule concerning awareness of procedures (SYSC 5.1.12 R) as if it were guidance (and as if should appeared in that rule instead of must) as explained in SYSC 1 Annex 1.3.3 G.

General

SYSC 5.1.13

See Notes

handbook-rule

The systems, internal control mechanisms and arrangements established by a firm in accordance with this chapter must take into account the nature, scale and complexity of its business and the nature and range of (for a common platform firm) investment services and activities or (for every other firm) financial services and activities undertaken in the course of that business.

[Note: article 5(1) final paragraph of the MiFID implementing Directive]

SYSC 5.1.14

See Notes

handbook-rule

A common platform firm must monitor and, on a regular basis, evaluate the adequacy and effectiveness of its systems, internal control mechanisms and arrangements established in accordance with this chapter, and take appropriate measures to address any deficiencies.

[Note: article 5(5) of the MiFID implementing Directive]

SYSC 5.1.15

See Notes

handbook-guidance
Other firms should take account of the rule requiring monitoring and evaluation of the adequacy and effectiveness of systems (SYSC 5.1.14 R) as if it were guidance (and as if should appeared in that rule instead of must) as explained in SYSC 1 Annex 1.3.3 G.

Export chapter as

SYSC 6

Compliance, internal audit and financial crime

SYSC 6.1

Compliance

SYSC 6.1.1

See Notes

handbook-rule

A firm must establish, implement and maintain adequate policies and procedures sufficient to ensure compliance of the firm including its managers, employees and appointed representatives(or where applicable, tied agents) with its obligations under the regulatory system and for countering the risk that the firm might be used to further financial crime.

[Note: article 13(2) of MiFID]

SYSC 6.1.2

See Notes

handbook-rule

A common platform firm must, taking intoaccount the nature, scale and complexity of its business, and the nature and range of investment services and activities undertaken in the course of that business, establish, implement and maintain adequate policies and procedures designed to detect any risk of failure by the firm to comply with its obligations under the regulatory system, as well as associated risks, and put in place adequate measures and procedures designed to minimise such risks and to enable the FSA to exercise its powers effectively under the regulatory system and to enable any other competent authority to exercise its powers effectively under MiFID.

[Note: article 6(1) of the MiFID implementing Directive]

SYSC 6.1.2A

See Notes

handbook-guidance
Other firms should take account of the adequate policies and procedures rule (SYSC 6.1.2 R) as if it were guidance (and as if should appeared in that rule instead of must) as explained in SYSC 1 Annex 1.3.3 G.

SYSC 6.1.3

See Notes

handbook-rule

A common platform firm must maintain a permanent and effective compliance function which operates independently and which has the following responsibilities:

  1. (1) to monitor and, on a regular basis, to assess the adequacy and effectiveness of the measures and procedures put in place in accordance with SYSC 6.1.2 R, and the actions taken to address any deficiencies in the firm's compliance with its obligations;
  2. (2) to advise and assist the relevant persons responsible for carrying out regulated activities to comply with the firm's obligations under the regulatory system.

[Note: article 6(2) of the MiFID implementing Directive]

SYSC 6.1.3A

See Notes

handbook-guidance
  1. (1) Other firms should take account of the compliance function rule (SYSC 6.1.3 R) as if it were guidance (and as if should appeared in that rule instead of must) as explained in SYSC 1 Annex 1.3.3 G.
  2. (2) Notwithstanding SYSC 6.1.3 R, as it applies under (1), depending on the nature, scale and complexity of its business, it may be appropriate for a firm to have a separate compliance function. Where a firm has a separate compliance function the firm should also take into account SYSC 6.1.3 R and SYSC 6.1.4 R as guidance.

SYSC 6.1.4

See Notes

handbook-rule

In order to enable the compliance function to discharge its responsibilities properly and independently, a common platform firm must ensure that the following conditions are satisfied:

  1. (1) the compliance function must have the necessary authority, resources, expertise and access to all relevant information;
  2. (2) a compliance officer must be appointed and must be responsible for the compliance function and for any reporting as to compliance required by SYSC 4.3.2 R;
  3. (3) the relevant persons involved in the compliance functions must not be involved in the performance of services or activities they monitor;
  4. (4) the method of determining the remuneration of the relevant persons involved in the compliance function must not compromise their objectivity and must not be likely to do so.

[Note: article 6(3) first paragraph of the MiFID implementing Directive]

SYSC 6.1.4-A

See Notes

handbook-guidance
In setting the method of determining the remuneration of relevant persons involved in the compliance function,certain banks, building societies and BIPRU 730k firms See SYSC 19.1 for details of the application of the Remuneration Code.

SYSC 6.1.4A

See Notes

handbook-rule
  1. (1) A firm which is not a common platform firm and which carries on designated investment business with or for retail clients or professional clients must allocate to a director or senior manager the function of:
    1. (a) having responsibility for oversight of the firm's compliance; and
    2. (b) reporting to the governing body in respect of that responsibility.
  2. (2) In SYSC 6.1.4A R (1) compliance means compliance with the rules in:
    1. (a) COBS (Conduct of Business sourcebook);
    2. (b) COLL (Collective Investment Schemes sourcebook) and CIS (Collective Investment Schemes sourcebook) (where appropriate);
    3. (c) CASS (Client Assets sourcebook); and
    4. (d) ICOBS (Insurance: Conduct of Business sourcebook).

SYSC 6.1.5

See Notes

handbook-rule

A common platform firm need not comply with SYSC 6.1.4 R (3) or SYSC 6.1.4 R (4) if it is able to demonstrate that in view of the nature, scale and complexity of its business, and the nature and range of (for a common platform firm) investment services and activities or (for every other firm) financial services and activities, the requirements under those rules are not proportionate and that its compliance function continues to be effective.

[Note: article 6(3) second paragraph of the MiFID implementing Directive]

SYSC 6.1.6

See Notes

handbook-rule
Other firms should take account of the proportionality rule (SYSC 6.1.5 R) as if it were guidance (and as if should appeared in that rule instead of must) as explained in SYSC 1 Annex 1.3.3 G.

SYSC 6.2

Internal audit

SYSC 6.2.1

See Notes

handbook-rule

A common platform firm must, where appropriate and proportionate in view of the nature, scale and complexity of its business and the nature and range of investment services and activities undertaken in the course of that business, establish and maintain an internal audit function which is separate and independent from the other functions and activities of the firm and which has the following responsibilities:

  1. (1) to establish, implement and maintain an audit plan to examine and evaluate the adequacy and effectiveness of the firm's systems, internal control mechanisms and arrangements;
  2. (2) to issue recommendations based on the result of work carried out in accordance with (1);
  3. (3) to verify compliance with those recommendations;
  4. (4) to report in relation to internal audit matters in accordance with SYSC 4.3.2 R.

[Note: article 8 of the MiFID implementing Directive]

SYSC 6.2.1A

See Notes

handbook-guidance
Other firms should take account of the internal audit rule (SYSC 6.2.1 R) as if it were guidance (and as if should appeared in that rule instead of must) as explained in SYSC 1 Annex 1.3.3 G.

SYSC 6.2.2

See Notes

handbook-guidance
The term 'internal audit function' in SYSC 6.2.1 R (and SYSC 4.1.11 G) refers to the generally understood concept of internal audit within a firm , that is, the function of assessing adherence to and the effectiveness of internal systems and controls, procedures and policies. The internal audit function is not a controlled function itself, but is part of the systems and controls function (CF28).

SYSC 6.3

Financial crime

SYSC 6.3.1

See Notes

handbook-rule

A firm must ensure the policies and procedures established under SYSC 6.1.1 R include systems and controls that:

  1. (1) enable it to identify, assess, monitor and manage money laundering risk; and
  2. (2) are comprehensive and proportionate to the nature, scale and complexity of its activities.

SYSC 6.3.2

See Notes

handbook-guidance
"Money laundering risk" is the risk that a firm may be used to further money laundering. Failure by a firm to manage this risk effectively will increase the risk to society of crime and terrorism.

SYSC 6.3.3

See Notes

handbook-rule
A firm must carry out a regular assessment of the adequacy of these systems and controls to ensure that they continue to comply with SYSC 6.3.1 R.

SYSC 6.3.4

See Notes

handbook-guidance
A firm may also have separate obligations to comply with relevant legal requirements, including the Terrorism Act 2000, the Proceeds of Crime Act 2002 and the Money Laundering Regulations. SYSC 6.1.1 R and SYSC 6.3.1 R to SYSC 6.3.10 G are not relevant for the purposes of regulation 42(3) or 45(2) of the Money Laundering Regulations, section 330(8) of the Proceeds of Crime Act 2002 or section 21A(6) of the Terrorism Act 2000.

SYSC 6.3.5

See Notes

handbook-guidance
The FSA , when considering whether a breach of its rules on systems and controls against money laundering has occurred, will have regard to whether a firm has followed relevant provisions in the guidance for the United Kingdom financial sector issued by the Joint Money Laundering Steering Group.

SYSC 6.3.6

See Notes

handbook-guidance

In identifying its money laundering risk and in establishing the nature of these systems and controls, a firm should consider a range of factors, including:

  1. (1) its customer, product and activity profiles;
  2. (2) its distribution channels;
  3. (3) the complexity and volume of its transactions;
  4. (4) its processes and systems; and
  5. (5) its operating environment.

SYSC 6.3.7

See Notes

handbook-guidance

A firm should ensure that the systems and controls include:

  1. (1) appropriate training for its employees in relation to money laundering;
  2. (2) appropriate provision of information to its governing body and senior management, including a report at least annually by that firm's money laundering reporting officer (MLRO) on the operation and effectiveness of those systems and controls;
  3. (3) appropriate documentation of its risk management policies and risk profile in relation to money laundering, including documentation of its application of those policies (see SYSC 9);
  4. (4) appropriate measures to ensure that money laundering risk is taken into account in its day-to-day operation, including in relation to:
    1. (a) the development of new products;
    2. (b) the taking-on of new customers; and
    3. (c) changes in its business profile; and
  5. (5) appropriate measures to ensure that procedures for identification of new customers do not unreasonably deny access to its services to potential customers who cannot reasonably be expected to produce detailed evidence of identity.

SYSC 6.3.8

See Notes

handbook-rule
A firm must allocate to a director or senior manager (who may also be the money laundering reporting officer) overall responsibility within the firm for the establishment and maintenance of effective anti-money laundering systems and controls.

The money laundering reporting officer

SYSC 6.3.9

See Notes

handbook-rule

A firm (with the exception of a sole trader who has no employees) must:

  1. (1) appoint an individual as MLRO, with responsibility for oversight of its compliance with the FSA's rules on systems and controls against money laundering; and
  2. (2) ensure that its MLRO has a level of authority and independence within the firm and access to resources and information sufficient to enable him to carry out that responsibility.

SYSC 6.3.10

See Notes

handbook-guidance
The job of the MLRO within a firm is to act as the focal point for all activity within the firm relating to anti-money laundering. The FSA expects that a firm's MLRO will be based in the United Kingdom.

Export chapter as

SYSC 7

Risk control

SYSC 7.1

Risk control

SYSC 7.1.1

See Notes

handbook-guidance
SYSC 4.1.1 R requires a firm to have effective processes to identify, manage, monitor and report the risks it is or might be exposed to.

SYSC 7.1.2

See Notes

handbook-rule

A common platform firm must establish, implement and maintain adequate risk management policies and procedures, including effective procedures for risk assessment, which identify the risks relating to the firm's activities, processes and systems, and where appropriate, set the level of risk tolerated by the firm.

[Note: article 7(1)(a) of the MiFID implementing Directive, article 13(5) second paragraph of MiFID]

SYSC 7.1.2A

See Notes

handbook-guidance
Other firms should take account of the risk management policies and procedures rule (SYSC 7.1.2 R) as if it were guidance (and as if should appeared in that rule instead of must) as explained in SYSC 1 Annex 1.3.3 G.

SYSC 7.1.3

See Notes

handbook-rule

A common platform firm must adopt effective arrangements, processes and mechanisms to manage the risk relating to the firm's activities, processes and systems, in light of that level of risk tolerance.

[Note: article 7(1)(b) of the MiFID implementing Directive]

SYSC 7.1.4

See Notes

handbook-rule

The senior personnel of a common platform firm must approve and periodically review the strategies and policies for taking up, managing, monitoring and mitigating the risks the firm is or might be exposed to, including those posed by the macroeconomic environment in which it operates in relation to the status of the business cycle.

[Note: annex V paragraph 2 of the Banking Consolidation Directive]

SYSC 7.1.4A

See Notes

handbook-guidance
For a common platform firm included within the scope of SYSC 20 (Reverse stress testing), the strategies, policies and procedures for identifying, taking up, managing, monitoring and mitigating the risks to which the firm is or might be exposed include conducting reverse stress testing in accordance with SYSC 20. A common platform firm which falls outside the scope of SYSC 20 should consider conducting reverse stress tests on its business plan as well. This would further senior personnels understanding of the firm's vulnerabilities and would help them design measures to prevent or mitigate the risk of business failure.

SYSC 7.1.4B

See Notes

handbook-guidance
Other firms should take account of the risk management rules (SYSC 7.1.3 R and SYSC 7.1.4 R) as if they were guidance (and as if "should" appeared in those rules instead of "must") as explained in SYSC 1 Annex 1.3.3 G.

SYSC 7.1.5

See Notes

handbook-rule

A common platform firm must monitor the following:

  1. (1) the adequacy and effectiveness of the firm's risk management policies and procedures;
  2. (2) the level of compliance by the firm and its relevant persons with the arrangements, processes and mechanisms adopted in accordance with SYSC 7.1.3 R;
  3. (3) the adequacy and effectiveness of measures taken to address any deficiencies in those policies, procedures, arrangements, processes and mechanisms, including failures by the relevant persons to comply with such arrangements or processes and mechanisms or follow such policies and procedures.

[Note: article 7(1)(c) of the MiFID implementing Directive]

SYSC 7.1.6

See Notes

handbook-rule

A common platform firm must, where appropriate and proportionate in view of the nature, scale and complexity of its business and the nature and range of the investment services and activities undertaken in the course of that business, establish and maintain a risk management function that operates independently and carries out the following tasks:

  1. (1) implementation of the policies and procedures referred to in SYSC 7.1.2 R to SYSC 7.1.5 R; and
  2. (2) provision of reports and advice to senior personnel in accordance with SYSC 4.3.2 R.

[Note: MiFID implementing Directive Article 7(2) first paragraph]

SYSC 7.1.7

See Notes

handbook-rule

Where a common platform firm is not required under SYSC 7.1.6 R to maintain a risk management function that functions independently, it must nevertheless be able to demonstrate that the policies and procedures which it has adopted in accordance with SYSC 7.1.2 R to SYSC 7.1.5 R satisfy the requirements of those rules and are consistently effective.

[Note: article 7(2) second paragraph of the MiFID implementing Directive]

SYSC 7.1.7A

See Notes

handbook-guidance
Other firms should take account of the risk management rules (SYSC 7.1.5 R to SYSC 7.1.7 R) as if they were guidance (and as if should appeared in those rules instead of must) as explained in SYSC 1 Annex 1.3.3 G.

SYSC 7.1.7B

See Notes

handbook-guidance
In setting the method of determining the remuneration of employees involved in the risk management function, certain banks, building societies and BIPRU 730k firms will also need to comply with the Remuneration Code. See SYSC 19.1 for details of the application of the Remuneration Code.

SYSC 7.1.8

See Notes

handbook-guidance
  1. (1) SYSC 4.1.3 R requires a BIPRU firm to ensure that its internal control mechanisms and administrative and accounting procedures permit the verification of its compliance with rules adopted in accordance with the Capital Adequacy Directive at all times. In complying with this obligation, a BIPRU firm should document the organisation and responsibilities of its risk management function and it should document its risk management framework setting out how the risks in the business are identified, measured, monitored and controlled.
  2. (2) The term 'risk management function' in SYSC 7.1.6 R and SYSC 7.1.7 R refers to the generally understood concept of risk assessment within a firm , that is, the function of setting and controlling risk exposure. The risk management function is not a controlled function itself, but is part of the systems and controls function (CF28).

Credit and counterparty risk

SYSC 7.1.9

See Notes

handbook-rule

A BIPRU firm must base credit-granting on sound and well-defined criteria and clearly establish the process for approving, amending, renewing, and re-financing credits.

[Note: annex V paragraph 3 of the Banking Consolidation Directive]

SYSC 7.1.10

See Notes

handbook-rule

A BIPRU firm must operate through effective systems the ongoing administration and monitoring of its various credit risk-bearing portfolios and exposures, including for identifying and managing problem credits and for making adequate value adjustments and provisions.

[Note: annex V paragraph 4 of the Banking Consolidation Directive]

SYSC 7.1.11

See Notes

handbook-rule

A BIPRU firm must adequately diversify credit portfolios given its target market and overall credit strategy.

[Note: annex V paragraph 5 of the Banking Consolidation Directive]

SYSC 7.1.12

See Notes

handbook-guidance
The documentation maintained by a BIPRUfirm under SYSC 4.1.3 R should include its policy for credit risk, including its risk appetite and provisioning policy and should describe how it measures, monitors and controls that risk. This should include descriptions of the systems used to ensure that the policy is correctly implemented.

Residual risk

SYSC 7.1.13

See Notes

handbook-rule

A BIPRU firm must address and control by means of written policies and procedures the risk that recognised credit risk mitigation techniques used by it prove less effective than expected.

[Note: annex V paragraph 6 of the Banking Consolidation Directive]

Market risk

SYSC 7.1.14

See Notes

handbook-rule

A BIPRU firm must implement policies and processes for the measurement and management of all material sources and effects of market risks.

[Note: annex V paragraph 10 of the Banking Consolidation Directive]

Interest rate risk

SYSC 7.1.15

See Notes

handbook-rule

A BIPRU firm must implement systems to evaluate and manage the risk arising from potential changes in interest rates as they affect a BIPRU firm's non-trading activities.

[Note: annex V paragraph 11 of the Banking Consolidation Directive]

Operational risk

SYSC 7.1.16

See Notes

handbook-rule

A BIPRU firm must implement policies and processes to evaluate and manage the exposure to operational risk, including to low-frequency high severity events. Without prejudice to the definition of operational risk, BIPRU firms must articulate what constitutes operational risk for the purposes of those policies and procedures.

[Note: annex V paragraph 12 of the Banking Consolidation Directive]

Export chapter as

SYSC 8

Outsourcing

SYSC 8.1

General outsourcing requirements

SYSC 8.1.1

See Notes

handbook-rule

A common platform firm must:

  1. (1) when relying on a third party for the performance of operational functions which are critical for the performance of regulated activities, listed activities or ancillary services (in this chapter "relevant services and activities") on a continuous and satisfactory basis, ensure that it takes reasonable steps to avoid undue additional operational risk;
  2. (2) not undertake the outsourcing of important operational functions in such a way as to impair materially:
    1. (a) the quality of its internal control; and
    2. (b) the ability of the FSA to monitor the firm's compliance with all obligations under the regulatory system and, if different, of a competent authority to monitor the firm's compliance with all obligations under MiFID.

[Note: article 13(5) first paragraph of MiFID]

SYSC 8.1.1A

See Notes

handbook-guidance
Other firms should take account of the outsourcing rule (SYSC 8.1.1 R) as if it were guidance (and as if should appeared in that rule instead of must) as explained in SYSC 1 Annex 1.3.3 G.

SYSC 8.1.2

See Notes

handbook-guidance
The application of SYSC 8.1 to relevant services and activities (see SYSC 8.1.1 R (1)) is limited by SYSC 1 Annex 1 (Part 2) (Application of the common platform requirements).

SYSC 8.1.3

See Notes

handbook-guidance
SYSC 4.1.1 R requires a firm to have effective processes to identify, manage, monitor and report risks and internal control mechanisms. Except in relation to those functions described in SYSC 8.1.5 R, where a firm relies on a third party for the performance of operational functions which are not critical or important for the performance of relevant services and activities (see SYSC 8.1.1 R (1)) on a continuous and satisfactory basis, it should take into account, in a manner that is proportionate given the nature, scale and complexity of the outsourcing, the rules in this section in complying with that requirement.

SYSC 8.1.4

See Notes

handbook-rule

For the purposes of this chapter an operational function is regarded as critical or important if a defect or failure in its performance would materially impair the continuing compliance of a common platform firm with the conditions and obligations of its authorisation or its other obligations under the regulatory system, or its financial performance, or the soundness or the continuity of its relevant services and activities.

[Note: article 13(1) of the MiFID implementing Directive]

SYSC 8.1.5

See Notes

handbook-rule

Without prejudice to the status of any other function, the following functions will not be considered as critical or important for the purposes of this chapter:

  1. (1) the provision to the firm of advisory services, and other services which do not form part of the relevant services and activities of the firm, including the provision of legal advice to the firm, the training of personnel of the firm, billing services and the security of the firm's premises and personnel;
  2. (2) the purchase of standardised services, including market information services and the provision of price feeds;

[Note: article 13(2) of the MiFID implementing Directive]

  1. (3) the recording and retention of relevant telephone conversations or electronic communications subject to COBS 11.8.

SYSC 8.1.5A

See Notes

handbook-guidance
Other firms should take account of the critical functions rules (SYSC 8.1.4 R and SYSC 8.1.5 R) as if they were guidance (and as if should appeared in those rules instead of must) as explained in SYSC 1 Annex 1.3.3 G.

SYSC 8.1.6

See Notes

handbook-rule

If a firm outsources critical or important operational functions or any relevant services and activities, it remains fully responsible for discharging all of its obligations under the regulatory system and must comply, in particular, with the following conditions:

  1. (1) the outsourcing must not result in the delegation by senior personnel of their responsibility;
  2. (2) the relationship and obligations of the firm towards its clients under the regulatory system must not be altered;
  3. (3) the conditions with which the firm must comply in order to be authorised, and to remain so, must not be undermined;
  4. (4) none of the other conditions subject to which the firm's authorisation was granted must be removed or modified.

[Note: article 14(1) of the MiFID implementing Directive]

SYSC 8.1.7

See Notes

handbook-rule

A common platform firm must exercise due skill and care and diligence when entering into, managing or terminating any arrangement for the outsourcing to a service provider of critical or important operational functions or of any relevant services and activities.

[Note: article 14(2) first paragraph of the MiFID implementing Directive]

SYSC 8.1.8

See Notes

handbook-rule

A common platform firm must in particular take the necessary steps to ensure that the following conditions are satisfied:

  1. (1) the service provider must have the ability, capacity, and any authorisation required by law to perform the outsourced functions, services or activities reliably and professionally;
  2. (2) the service provider must carry out the outsourced services effectively, and to this end the firm must establish methods for assessing the standard of performance of the service provider;
  3. (3) the service provider must properly supervise the carrying out of the outsourced functions, and adequately manage the risks associated with the outsourcing;
  4. (4) appropriate action must be taken if it appears that the service provider may not be carrying out the functions effectively and in compliance with applicable laws and regulatory requirements;
  5. (5) the firm must retain the necessary expertise to supervise the outsourced functions effectively and to manage the risks associated with the outsourcing,and must supervise those functions and manage those risks;
  6. (6) the service provider must disclose to the firm any development that may have a material impact on its ability to carry out the outsourced functions effectively and in compliance with applicable laws and regulatory requirements;
  7. (7) the firm must be able to terminate the arrangement for the outsourcing where necessary without detriment to the continuity and quality of its provision of services to clients;
  8. (8) the service provider must co-operate with the FSA and any other relevant competent authority in connection with the outsourced activities;
  9. (9) the firm, its auditors, the FSA and any other relevant competent authority must have effective access to data related to the outsourced activities, as well as to the business premises of the service provider; and the FSA and any other relevant competent authority must be able to exercise those rights of access;
  10. (10) the service provider must protect any confidential information relating to the firm and its clients;
  11. (11) the firm and the service provider must establish, implement and maintain a contingency plan for disaster recovery and periodic testing of backup facilities where that is necessary having regard to the function, service or activity that has been outsourced.

[Note: article 14(2) second paragraph of the MiFID implementing Directive]

SYSC 8.1.9

See Notes

handbook-rule

A common platform firm must ensure that the respective rights and obligations of the firm and of the service provider are clearly allocated and set out in a written agreement.

[Note: article 14(3) of the MiFID implementing Directive]

SYSC 8.1.10

See Notes

handbook-rule

If a common platform firm and the service provider are members of the same group, the firm may, for the purpose of complying with SYSC 8.1.7 R to SYSC 8.1.11 R and SYSC 8.2 and SYSC 8.3, take into account the extent to which the common platform firm controls the service provider or has the ability to influence its actions.

[Note: article 14(4) of the MiFID implementing Directive]

SYSC 8.1.11

See Notes

handbook-rule

A common platform firm must make available on request to the FSA and any other relevant competent authority all information necessary to enable the FSA and any other relevant competent authority to supervise the compliance of the performance of the outsourced activities with the requirements of the regulatory system.

[Note: article 14(5) of the MiFID implementing Directive]

SYSC 8.1.11A

See Notes

handbook-guidance
Other firms should take account of the outsourcing of important operational functions rules (SYSC 8.1.7 R to SYSC 8.1.11 R) as if they were guidance (and as if should appeared in those rules instead of must) as explained in SYSC 1 Annex 1.3.3 G.

SYSC 8.1.12

See Notes

handbook-guidance

As SUP 15.3.8 G explains, a firm should notify the FSA when it intends to rely on a third party for the performance of operational functions which are critical or important for the performance of relevant services and activities on a continuous and satisfactory basis.

[Note: recital 20 of the MiFID implementing Directive]

SYSC 8.2

Outsourcing of portfolio management for retail clients to a non-EEA State

SYSC 8.2.1

See Notes

handbook-rule
  1. (1) In addition to the requirements set out in the MiFID outsourcing rules, when a MiFID investment firm outsources the investment service of portfolio management to retail clients to a service provider located in a non-EEA state, it must ensure that the following conditions are satisfied:
    1. (a) the service provider must be authorised or registered in its home country to provide that service and must be subject to prudential supervision;
    2. (b) there must be an appropriate cooperation agreement between the FSA and the supervisor in the non-EEA state;
    3. (in this chapter the "conditions").
      1. [Note: article 15(1) of the MiFID implementing Directive]
  2. (2) In addition to complying with the common platform outsourcing rules, if one or both of the conditions are not satisfied, a MiFID investment firm may enter into such an outsourcing only if it gives prior notification in writing to the FSA containing adequate details of the proposed outsourcing and the FSA does not object to that arrangement within a reasonable time following receipt of that notification.
      1. [Note: article 15(2) and (4) of the MiFID implementing Directive]
  3. (3) For the purposes of this rule a "reasonable time" is within one month of receipt of a notification. However, the FSA may seek further information from the MiFID investment firm in relation to the outsourcing proposal if this is necessary to enable the FSA to make a decision. Any effect this may have on the FSA's response time will be notified to the MiFID investment firm and that revised response time will constitute a reasonable time for the purposes of this rule.

SYSC 8.2.2

[intentionally blank]

SYSC 8.2.3

See Notes

handbook-guidance
The conditions do not apply if the outsourcing only concerns ancillary activities connected with portfolio management, for example IT processes or execution only activities.

SYSC 8.2.4

See Notes

handbook-guidance
If a firm has received no notice of objection or no request for further information from the FSA within one month of the FSA receiving the notification, it may outsource the portfolio management on the basis set out in the notification.

SYSC 8.2.5

See Notes

handbook-guidance
The FSA would use its powers under section 45 of the Act to vary a firm's permission if it objected to such a notification.

Notification requirements: timing of notification

SYSC 8.2.6

See Notes

handbook-guidance
A firm should only make an outsourcing proposal notification to the FSA after it has carried out due diligence on the service provider and has had regard to the guidance set out in SYSC 8.3. The FSA will expect a firm to only submit an outsourcing proposal notification in respect of a service provider that the firm has determined is suitable to carry on the outsourcing activity.

Notification requirements: content

SYSC 8.2.7

See Notes

handbook-guidance
The guidance set out in SYSC 8.3 includes information on what the FSA will expect a firm to check before the submission of a notification.

SYSC 8.2.8

See Notes

handbook-guidance

A notification under this section should include:

  1. (1) details on which of the conditions is not met;
  2. (2) if applicable, details and evidence of the service provider's authorisation or regulation including the regulator's contact details;
  3. (3) the firm's proposals for meeting its obligations under this chapter on an ongoing basis;
  4. (4) why the firm wishes to outsource to the service provider;
  5. (5) a draft of the outsourcing agreement between the service provider and the firm;
  6. (6) the proposed start date of the outsourcing; and
  7. (7) confirmation that the firm has had regard to the guidance in SYSC 8.3, or if it has not, why not.

Notification requirements additional guidance

SYSC 8.2.9

See Notes

handbook-guidance
Where the FSA has not objected to the outsourcing agreement, the firm should have regard to its obligations under SUP 15 which include making the FSA aware of any matters which could affect the firm's ability to provide adequate services to its customers or could result in serious detriment to its customers or where there has been material change in the information previously provided to the FSA in relation to the outsourcing.

SYSC 8.3

Guidance on outsourcing portfolio management for retail clients to a non-EEA State

SYSC 8.3.1

See Notes

handbook-guidance
This guidance is relevant regardless of whether a firm outsources portfolio management directly or indirectly via a third party. However, firms should note that they may notify a secondary or indirect outsourcing in the same notification as the direct outsourcing.

SYSC 8.3.2

See Notes

handbook-guidance

This guidance sets out examples of the type of actions that a firm proposing to outsource should have undertaken when assessing the suitability of the service provider and its ability to carry on the outsourced activity.

[Note: article 15(3) of the MiFID implementing Directive]

SYSC 8.3.3

See Notes

handbook-guidance
If a firm can demonstrate that it has taken the following guidance into account and has satisfactorily concluded that it would be able to continue to satisfy the common platform outsourcing rules and provide adequate protection for consumers despite not satisfying the conditions, the FSA would not be likely to object to that outsourcing.

SYSC 8.3.4

See Notes

handbook-guidance
If the outsourcing allows the service provider to sub-contract any of the services to be provided under the outsourcing, any such sub-contracting shall not affect the service provider's responsibilities under the outsourcing agreement.

SYSC 8.3.5

See Notes

handbook-guidance
The outsourcing agreement should entitle the firm to terminate the outsourcing if the service provider undergoes a change of control or becomes insolvent, goes into liquidation or receivership (or equivalent in its home state) or is in persistent material default under the agreement.

SYSC 8.3.6

See Notes

handbook-guidance

The following should be taken into account where the service provider is not authorised or registered in its home country and/or not subject to prudential supervision.

  1. (1) The firm should examine, and be able to demonstrate, to what extent the service provider may be subject to any form of voluntary regulation, including self-regulation in its home state.
  2. (2) The firm should be able to satisfy the FSA that the service provider is committed for the term of the outsourcing agreement to devoting sufficient, competent resources to providing the service.
  3. (3) In addition to the requirement to ensure that a service provider discloses any developments that may have a material impact on its ability to carry out the outsourcing (SYSC 8.1.8 R (6)), where the conditions are not met the developments to be disclosed should include, but are not limited to:
    1. (a) any adverse effect that any laws or regulations introduced in the service provider's home country may have on its carrying on the outsourced activity; and
    2. (b) any changes to its capital reserve levels or its prudential risks.
  4. (4) The firm should satisfy itself that the service provider is able to meet its liabilities as they fall due and that it has positive net assets.
  5. (5) The firm should require that the service provider prepares annual reports and accounts which:
    1. (a) are in accordance with the service provider's national law which, in all material respects, is the same as or equivalent to the international accounting standards;
    2. (b) have been independently audited and reported on in accordance with the service provider's national law which is the same as or equivalent to international auditing standards.
  6. (6) The firm should receive copies of each set of the audited annual report and accounts of the service provider. If the service provider expects or knows its auditor will qualify his report on the audited report and accounts, or add an explanatory paragraph, the service provider should be required to notify the firm without delay.
  7. (7) The firm should satisfy itself, and be able to demonstrate, that it has in place appropriate procedures to ensure that it is fully aware of the service provider's controls for protecting confidential information.
  8. (8) In addition to the requirement at SYSC 8.1.8 R (10) that the service provider must protect any confidential information relating to the firm or its clients, the outsourcing agreement should require the service provider to notify the firm immediately if there is a breach of confidentiality.
  9. (9) The outsourcing agreement should be governed by the law and subject to the jurisdiction of an EEA state.

SYSC 8.3.7

See Notes

handbook-guidance

The following should be taken into account by a firm where there is no cooperation agreement between the FSA and the supervisory authority of the service provider or there is no supervisory authority of the service provider.

  1. (1) The outsourcing agreement should ensure the firm can provide the FSA with any information relating to the outsourced activity the FSA may require in order to carry out effective supervision. The firm should therefore assess the extent to which the service provider's regulator and/or local laws and regulations may restrict access to information about the outsourced activity. Any such restriction should be described in the notification to be sent to the FSA.
  2. (2) The outsourcing agreement should require the service provider to provide the firm's offices in the United Kingdom with all requested information required to meet the firm's regulatory obligations. The FSA should be given an enforceable right under the agreement to obtain such information from the firm and to require the service provider to provide the information directly.

Export chapter as

SYSC 9

Record-keeping

SYSC 9.1

General rules on record-keeping

SYSC 9.1.1

See Notes

handbook-rule

A firm must arrange for orderly records to be kept of its business and internal organisation, including all services and transactions undertaken by it, which must be sufficient to enable the FSA or any other relevant competent authority under MiFID to monitor the firm's compliance with the requirements under the regulatory system, and in particular to ascertain that the firm has complied with all obligations with respect to clients.

[Note: article 13(6) of MiFID and article 5(1)(f) of the MiFID implementing Directive]

SYSC 9.1.2

See Notes

handbook-rule

A common platform firm must retain all records kept by it under this chapter in relation to its MiFID business for a period of at least five years.

[Note: article 51 (1) of the MiFID implementing Directive]

SYSC 9.1.3

See Notes

handbook-rule

In relation to its MiFID business, a common platform firm must retain records in a medium that allows the storage of information in a way accessible for future reference by the FSA or any other relevant competent authority under MiFID, and so that the following conditions are met:

  1. (1) the FSA or any other relevant competent authority under MiFID must be able to access them readily and to reconstitute each key stage of the processing of each transaction;
  2. (2) it must be possible for any corrections or other amendments, and the contents of the records prior to such corrections and amendments, to be easily ascertained;
  3. (3) it must not be possible for the records otherwise to be manipulated or altered.

[Note: article 51(2) of the MiFID implementing Directive]

Guidance on record-keeping

SYSC 9.1.4

See Notes

handbook-guidance
Subject to any other record-keeping rule in the Handbook, the records required under the Handbook should be capable of being reproduced in the English language on paper. Where a firm is required to retain a record of a communication that was not made in the English language, it may retain it in that language. However, it should be able to provide a translation on request. If a firm's records relate to business carried on from an establishment in a country or territory outside the United Kingdom, an official language of that country or territory may be used instead of the English language.

SYSC 9.1.5

See Notes

handbook-guidance
In relation to the retention of records for non-MiFID business, a firm should have appropriate systems and controls in place with respect to the adequacy of, access to, and the security of its records so that the firm may fulfil its regulatory and statutory obligations. With respect to retention periods, the general principle is that records should be retained for as long as is relevant for the purposes for which they are made.

SYSC 9.1.6

See Notes

handbook-guidance

Schedule 1 to each module of the Handbook sets out a list summarising the record-keeping requirements of that module.

[Note: article 51(3) of MiFID implementing Directive]

SYSC 9.1.7

See Notes

handbook-guidance
The Committee of European Securities Regulators (CESR) has issued recommendations on the list of minimum records under Article 51(3) of the MiFID implementing Directive. This can be found at: www.fsa.gov.uk/pubs/other/CESR_Minimum_List_Recommendations.pdf.

Export chapter as

SYSC 10

Conflicts of interest

SYSC 10.1

Application

SYSC 10.1.1

See Notes

handbook-rule
This section applies to a firm which provides services to its clients in the course of carrying on regulated activities or ancillary activities or providing ancillary services (but only where the ancillary services constitute MiFID business).

Requirements only apply if a service is provided

SYSC 10.1.2

See Notes

handbook-guidance

The requirements in this section only apply where a service is provided by a firm . The status of the client to whom the service is provided (as a retail client, professional client or eligible counterparty) is irrelevant for this purpose.

[Note: recital 25 of MiFID implementing Directive]

Identifying conflicts

SYSC 10.1.3

See Notes

handbook-rule

A firm must take all reasonable steps to identify conflicts of interest between:

  1. (1) the firm, including its managers, employees and appointed representatives (or where applicable, tied agents ), or any person directly or indirectly linked to them by control, and a client of the firm; or
  2. (2) one client of the firm and another client;

that arise or may arise in the course of the firm providing any service referred to in SYSC 10.1.1 R.

[Note: article 18(1) of MiFID]

Types of conflicts

SYSC 10.1.4

See Notes

handbook-rule

For the purposes of identifying the types of conflict of interest that arise, or may arise, in the course of providing a service and whose existence may entail a material risk of damage to the interests of a client, a common platform firm must take into account, as a minimum, whether the firm or a relevant person, or a person directly or indirectly linked by control to the firm:

  1. (1) is likely to make a financial gain, or avoid a financial loss, at the expense of the client;
  2. (2) has an interest in the outcome of a service provided to the client or of a transaction carried out on behalf of the client, which is distinct from the client's interest in that outcome;
  3. (3) has a financial or other incentive to favour the interest of another client or group of clients over the interests of the client;
  4. (4) carries on the same business as the client; or
  5. (5) receives or will receive from a person other than the client an inducement in relation to a service provided to the client, in the form of monies, goods or services, other than the standard commission or fee for that service.

The conflict of interest may result from the firm or person providing a service referred to in SYSC 10.1.1 R or engaging in any other activity.

[Note: article 21 of MiFID implementing Directive]

SYSC 10.1.4A

See Notes

handbook-guidance
Other firms should take account of the rule on the types of conflicts (see SYSC 10.1.4 R) as if it were guidance (and as if "should" appeared in that rule instead of "must") as explained in SYSC 1 Annex 1.3.3 G, except when they produce or arrange the production of investment research in accordance with COBS 12.2, or produce or disseminate non-independent research in accordance with COBS 12.3 (see SYSC 10.1.16 R).

SYSC 10.1.5

See Notes

handbook-guidance

The circumstances which should be treated as giving rise to a conflict of interest cover cases where there is a conflict between the interests of the firm or certain persons connected to the firm or the firm's group and the duty the firm owes to a client; or between the differing interests of two or more of its clients, to whom the firm owes in each case a duty. It is not enough that the firm may gain a benefit if there is not also a possible disadvantage to a client, or that one client to whom the firm owes a duty may make a gain or avoid a loss without there being a concomitant possible loss to another such client.

[Note: recital 24 of MiFID implementing Directive]

Record of conflicts

SYSC 10.1.6

See Notes

handbook-rule

A common platform firm must keep and regularly update a record of the kinds of service or activity carried out by or on behalf of the firm in which a conflict of interest entailing a material risk of damage to the interests of one or more clients has arisen or, in the case of an ongoing service or activity, may arise.

[Note: article 23 of MiFID implementing Directive]

SYSC 10.1.6A

See Notes

handbook-guidance
Other firms should take account of the rule on records of conflicts (see SYSC 10.1.6 R) as if it were guidance (and as if "should" appeared in that rule instead of "must", as explained in SYSC 1 Annex 1.3.3 G), except when they produce or arrange the production of investment research in accordance with COBS 12.2, or produce or disseminate non-independent research in accordance with COBS 12.3 (see SYSC 10.1.16 R).

Managing conflicts

SYSC 10.1.7

See Notes

handbook-rule

A firm must maintain and operate effective organisational and administrative arrangements with a view to taking all reasonable steps to prevent conflicts of interest as defined in SYSC 10.1.3 R from constituting or giving rise to a material risk of damage to the interests of its clients.

[Note: article 13(3) of MiFID]

Disclosure of conflicts

SYSC 10.1.8

See Notes

handbook-rule
  1. (1) If arrangements made by a firm under SYSC 10.1.7 R to manage conflicts of interest are not sufficient to ensure, with reasonable confidence, that risks of damage to the interests of a client will be prevented, the firm must clearly disclose the general nature and/or sources of conflicts of interest to the client before undertaking business for the client.
  2. (2) The disclosure must:
    1. (a) be made in a durable medium; and
    2. (b) include sufficient detail, taking into account the nature of the client, to enable that client to take an informed decision with respect to the service in the context of which the conflict of interest arises.


[Note: article 18(2) of MiFID and Article 22(4) of MiFID implementing Directive]

SYSC 10.1.8A

See Notes

handbook-rule
The obligation in SYSC 10.1.8 R (2)(a) does not apply to a firm when carrying on insurance mediation activity.

SYSC 10.1.9

See Notes

handbook-guidance

Firms should aim to identify and manage the conflicts of interest arising in relation to their various business lines and their group's activities under a comprehensive conflicts of interest policy. In particular, the disclosure of conflicts of interest by a firm should not exempt it from the obligation to maintain and operate the effective organisational and administrative arrangements under SYSC 10.1.7 R. While disclosure of specific conflicts of interest is required by SYSC 10.1.8 R, an over-reliance on disclosure without adequate consideration as to how conflicts may appropriately be managed is not permitted.

[Note: recital 27 of MiFID implementing Directive]

Conflicts policy

SYSC 10.1.10

See Notes

handbook-rule
(1) A common platform firm must establish, implement and maintain an effective conflicts of interest policy that is set out in writing and is appropriate to the size and organisation of the firm and the nature, scale and complexity of its business.
(2) Where the common platform firm is a member of a group, the policy must also take into account any circumstances, of which the firm is or should be aware, which may give rise to a conflict of interest arising as a result of the structure and business activities of other members of the group.


[Note: article 22(1) of MiFID implementing Directive]

Contents of policy

SYSC 10.1.11

See Notes

handbook-rule
(1) The conflicts of interest policy must include the following content:
(a) it must identify in accordance with SYSC 10.1.3 R and SYSC 10.1.4 R, by reference to the specific services and activities carried out by or on behalf of the common platform firm, the circumstances which constitute or may give rise to a conflict of interest entailing a material risk of damage to the interests of one or more clients; and
(b) it must specify procedures to be followed and measures to be adopted in order to manage such conflicts.
(2) The procedures and measures provided for in paragraph (1)(b) must:
(a) be designed to ensure that relevant persons engaged in different business activities involving a conflict of interest of the kind specified in paragraph (1)(a) carry on those activities at a level of independence appropriate to the size and activities of the common platform firm and of the group to which itbelongs, and to the materiality of the risk of damage to the interests of clients; and
(b) include such of the following as are necessary and appropriate for the common platform firm to ensure the requisite degree of independence:
(i) effective procedures to prevent or control the exchange of information between relevant persons engaged in activities involving a risk of a conflict of interest where the exchange of that information may harm the interests of one or more clients;
(ii) the separate supervision of relevant persons whose principal functions involve carrying out activities on behalf of, or providing services to, clients whose interests may conflict, or who otherwise represent different interests that may conflict, including those of the firm;
(iii) the removal of any direct link between the remuneration of relevant persons principally engaged in one activity and the remuneration of, or revenues generated by, different relevant persons principally engaged in another activity, where a conflict of interest may arise in relation to those activities;
(iv) measures to prevent or limit any person from exercising inappropriate influence over the way in which a relevant person carries out services or activities; and
(v) measures to prevent or control the simultaneous or sequential involvement of a relevant person in separate services or activities where such involvement may impair the proper management of conflicts of interest.
(3) If the adoption or the practice of one or more of those measures and procedures does not ensure the requisite level of independence, a common platform firm must adopt such alternative or additional measures and procedures as are necessary and appropriate for the purposes of paragraph (1)(b).


[Note: article 22(2) and (3) of MiFID implementing Directive]

SYSC 10.1.11A

See Notes

handbook-guidance
Other firms should take account of the rules relating to conflicts of interest policies (see SYSC 10.1.10 R and SYSC 10.1.11 R) as if they were guidance (and as if "should" appeared in those rules instead of "must", as explained in SYSC 1 Annex 1.3.3 G), except when they produce or arrange the production of investment research in accordance with COBS 12.2, or produce or disseminate non-independent research in accordance with COBS 12.3 (see SYSC 10.1.16 R).

SYSC 10.1.12

See Notes

handbook-guidance

In drawing up a conflicts of interest policy which identifies circumstances which constitute or may give rise to a conflict of interest, a firm should pay special attention to the activities of investment research and advice, proprietary trading, portfolio management and corporate finance business, including underwriting or selling in an offering of securities and advising on mergers and acquisitions. In particular, such special attention is appropriate where the firm or a person directly or indirectly linked by control to the firm performs a combination of two or more of those activities.

[Note: recital 26 of MiFID implementing Directive]

Corporate finance

SYSC 10.1.13

See Notes

handbook-guidance
This section is relevant to the management of a securities offering by any firm.

SYSC 10.1.14

See Notes

handbook-guidance
A firm will wish to note that when carrying on a mandate to manage an offering of securities, the firm's duty for that business is to its corporate finance client (in many cases, the corporate issuer or seller of the relevant securities), but that its responsibilities to provide services to its investment clients are unchanged.

SYSC 10.1.15

See Notes

handbook-guidance

Measures that a firm might wish to consider in drawing up its conflicts of interest policy in relation to the management of an offering of securities include:

  1. (1) at an early stage agreeing with its corporate finance client relevant aspects of the offering process such as the process the firm proposes to follow in order to determine what recommendations it will make about allocations for the offering; how the target investor group will be identified; how recommendations on allocation and pricing will be prepared; and whether the firm might place securities with its investment clients or with its own proprietary book, or with an associate, and how conflicts arising might be managed; and
  2. (2) agreeing allocation and pricing objectives with the corporate finance client; inviting the corporate finance client to participate actively in the allocation process; making the initial recommendation for allocation to retail clients of the firm as a single block and not on a named basis; having internal arrangements under which senior personnel responsible for providing services to retail clients make the initial allocation recommendations for allocation to retail clients of the firm; and disclosing to the issuer details of the allocations actually made.

[Note: The provisions in SYSC 10.1 also implement BCD Article 22 and BCD Annex V paragraph 1]

Application of conflicts of interest rules to non-common platform firms when producing investment research or non-independent research

SYSC 10.1.16

See Notes

handbook-rule

The rules relating to:

  1. (1) types of conflict (see SYSC 10.1.4 R);
  2. (2) records of conflicts (see SYSC 10.1.6 R); and
  3. (3) conflicts of interest policies (see SYSC 10.1.10 R and SYSC 10.1.11 R);

also apply to a firm which is not a common platform firm when it produces, or arranges for the production of, investment research that is intended or likely to be subsequently disseminated to clients of the firm or to the public in accordance with COBS 12.2, and when it produces or disseminates non-independent research in accordance with COBS 12.3.

SYSC 10.2

Chinese walls

Application

Control of information

SYSC 10.2.2

See Notes

handbook-rule
  1. (1) When a firm establishes and maintains a Chinese wall (that is, an arrangement that requires information held by a person in the course of carrying on one part of the business to be withheld from, or not to be used for, persons with or for whom it acts in the course of carrying on another part of its business) it may:
    1. (a) withhold or not use the information held; and
    2. (b) for that purpose, permit persons employed in the first part of its business to withhold the information held from those employed in that other part of the business;
  2. but only to the extent that the business of one of those parts involves the carrying on of regulated activities, ancillary activities or, in the case of MiFID business, the provision of ancillary services.
  3. (2) Information may also be withheld or not used by a firm when this is required by an established arrangement maintained between different parts of the business (of any kind) in the same group. This provision does not affect any requirement to transmit or use information that may arise apart from the rules in COBS.
  4. (3) For the purpose of this rule, "maintains" includes taking reasonable steps to ensure that the arrangements remain effective and are adequately monitored, and must be interpreted accordingly.
  5. (4) For the purposes of section 118A(5)(a) of the Act, behaviour conforming with paragraph (1) does not amount to market abuse.

Effect of rules

SYSC 10.2.3

See Notes

handbook-guidance

SYSC 10.2.2 R is made under section 147 of the Act (Control of information rules). It has the following effect:

  1. (1) acting in conformity with SYSC 10.2.2 R (1) provides a defence against proceedings brought under section 397(2) or (3) of the Act (Misleading statements and practices) - see sections 397(4) and (5)(c);
  2. (2) behaviour in conformity with SYSC 10.2.2 R (1) does not amount to market abuse (see SYSC 10.2.2 R (4)); and
  3. (3) acting in conformity with SYSC 10.2.2 R (1) provides a defence for a firm against FSA enforcement action, or an action for damages under section 150 of the Act, based on a breach of a relevant requirement to disclose or use this information.

Attribution of knowledge

SYSC 10.2.4

See Notes

handbook-rule
When any of the rules of COBS or CASS apply to a firm that acts with knowledge, the firm will not be taken to act with knowledge for the purposes of that rule if none of the relevant individuals involved on behalf of the firm acts with that knowledge as a result of arrangements established under SYSC 10.2.2 R.

SYSC 10.2.5

See Notes

handbook-guidance
When a firm manages a conflict of interest using the arrangements in SYSC 10.2.2 R which take the form of a Chinese wall, individuals on the other side of the wall will not be regarded as being in possession of knowledge denied to them as a result of the Chinese wall.

Export chapter as

SYSC 11

Liquidity risk systems and controls

SYSC 11.1

Application

SYSC 11.1.5

See Notes

handbook-guidance
  1. (1) [deleted]
  2. (2) [deleted]

SYSC 11.1.6

See Notes

handbook-rule

If a firm carries on:

  1. (1) long-term insurance business; and
  2. (2) general insurance business;

SYSC 11 applies separately to each type of business.

Purpose

SYSC 11.1.7

See Notes

handbook-guidance

The purpose of SYSC 11 is to amplify GENPRU and SYSC in their specific application to liquidity risk and, in so doing, to indicate minimum standards for systems and controls in respect of that risk.

SYSC 11.1.8

See Notes

handbook-guidance

Appropriate systems and controls for the management of liquidity risk will vary with the scale, nature and complexity of the firm's activities. Most of the material in SYSC 11 is, therefore, guidance. SYSC 11 lays out some of the main issues that the FSA expects a firm to consider in relation to liquidity risk. A firm should assess the appropriateness of any particular item of guidance in the light of the scale, nature and complexity of its activities as well as its obligations as set out in Principle 3 to organise and control its affairs responsibly and effectively.

SYSC 11.1.9

See Notes

handbook-guidance

SYSC 11 addresses the need to have appropriate systems and controls to deal both with liquidity management issues under normal market conditions, and with stressed or extreme situations resulting from either general market turbulence or firm-specific difficulties.

SYSC 11.1.13

See Notes

handbook-guidance

An insurer is also required to comply with the requirements in relation to liquidity risk set out in INSPRU 4.1.

SYSC 11.1.17

See Notes

handbook-guidance

High level requirements in relation to carrying out stress testing and scenario analysis are set out in GENPRU 1.2. In particular, GENPRU 1.2.42R requires a firm to carry out appropriate stress testing and scenario analysis. SYSC 11 gives guidance in relation to these tests in the case of liquidity risk.

Stress testing and scenario analysis

SYSC 11.1.18

See Notes

handbook-guidance

The effect of GENPRU 1.2.30R, GENPRU 1.2.34R, GENPRU 1.2.37R(1) and GENPRU 1.2.42R is that, for the purposes of determining the adequacy of its overall financial resources, a firm must carry out appropriate stress testing and scenario analysis, including taking reasonable steps to identify an appropriate range of realistic adverse circumstances and events in which liquidity risk might occur or crystallise.

SYSC 11.1.19

See Notes

handbook-guidance

GENPRU 1.2.40G and GENPRU 1.2.62G to GENPRU 1.2.78G give guidance on stress testing and scenario analysis, including on how to choose appropriate scenarios, but the precise scenarios that a firm chooses to use will depend on the nature of its activities. For the purposes of testing liquidity risk, however, a firm should normally consider scenarios based on varying degrees of stress and both firm-specific and market-wide difficulties. In developing any scenario of extreme market-wide stress that may pose systemic risk, it may be appropriate for a firm to make assumptions about the likelihood and nature of central bank intervention.

SYSC 11.1.20

See Notes

handbook-guidance

A firm should review frequently the assumptions used in stress testing scenarios to gain assurance that they continue to be appropriate.

SYSC 11.1.21

See Notes

handbook-evidential-provisions
  1. (1) A scenario analysis in relation to liquidity risk required under GENPRU 1.2.42R should include a cash-flow projection for each scenario tested, based on reasonable estimates of the impact (both on and off balance sheet) of that scenario on the firm's funding needs and sources.
  2. (2) Contravention of (1) may be relied on as tending to establish contravention of GENPRU 1.2.42R.

SYSC 11.1.22

See Notes

handbook-guidance

In identifying the possible on and off balance sheet impact referred to in SYSC 11.1.21E (1), a firm may take into account:

  1. (1) possible changes in the market's perception of the firm and the effects that this might have on the firm's access to the markets, including:
    1. (a) (where the firm funds its holdings of assets in one currency with liabilities in another) access to foreign exchange markets, particularly in less frequently traded currencies;
    2. (b) access to secured funding, including by way of repo transactions; and
    3. (c) the extent to which the firm may rely on committed facilities made available to it;
  2. (2) (if applicable) the possible effect of each scenario analysed on currencies whose exchange rates are currently pegged or fixed; and
  3. (3) that:
    1. (a) general market turbulence may trigger a substantial increase in the extent to which persons exercise rights against the firm under off balance sheet instruments to which the firm is party;
    2. (b) access to OTC derivative and foreign exchange markets are sensitive to credit-ratings;
    3. (c) the scenario may involve the triggering of early amortisation in asset securitisation transactions with which the firm has a connection; and
    4. (d) its ability to securitise assets may be reduced.

Contingency funding plans

SYSC 11.1.23

See Notes

handbook-guidance

GENPRU 1.2.26R states that a firm must at all times maintain overall financial resources adequate to ensure that there is no significant risk that its liabilities cannot be met as they fall due. GENPRU 1.2.42R(1)(b) provides that for the purposes of determining the adequacy of its overall financial resources, a firm must estimate the financial resources it would need in each of the circumstances and events considered in carrying out its stress testing and scenario analysis in order to, inter alia, meet its liabilities as they fall due.

SYSC 11.1.24

See Notes

handbook-evidential-provisions
  1. (1) A firm should have an adequately documented contingency funding plan for taking action to ensure, so far as it can, that, in each of the scenarios analysed under GENPRU 1.2.42R(1)(b), it would still have sufficient liquid financial resources to meet liabilities as they fall due.
  2. (2) The contingency funding plan should cover what events or circumstances will lead the firm to put into action any part of the plan.
  3. (3) [deleted]
  4. (4) A firm's contingency funding plan should, where relevant, take account of the impact of stressed market conditions on:
    1. (a) the behaviour of any credit-sensitive liabilities it has; and
    2. (b) its ability to securitise assets.
  5. (5) A firm's contingency funding plan should contain administrative policies and procedures that will enable the firm to manage the plan's implementation effectively, including:
    1. (a) the responsibilities of senior management;
    2. (b) names and contact details of members of the team responsible for implementing the contingency funding plan;
    3. (c) where, geographically, team members will be assigned;
    4. (d) who within the team is responsible for contact with head office (if appropriate), analysts, investors, external auditors, press, significant client's, regulators, lawyers and others; and
    5. (e) mechanisms that enable senior management and the governing body to receive management information that is both relevant and timely.
  6. (6) Contravention of any of (1) to (5) may be relied upon as tending to establish contravention of GENPRU 1.2.30R(2)(c).

Documentation

SYSC 11.1.25

See Notes

handbook-guidance

GENPRU 1.2.60R requires a firm to document its assessment of the adequacy of its liquidity financial resources, how it intends to deal with those risks, and details of the stress tests and scenario analyses carried out and the resulting financial resources estimated to be required. Accordingly, a firm should document both its stress testing and scenario analysis (see SYSC 11.1.18 G) and its contingency funding plan (see SYSC 11.1.23 G).

SYSC 11.1.28

See Notes

handbook-guidance

[deleted

Export chapter as

SYSC 12

Group risk systems and controls requirements

SYSC 12.1

Application

SYSC 12.1.1

See Notes

handbook-rule

Subject to SYSC 12.1.2 R to SYSC 12.1.4 R, this section applies to each of the following which is a member of a group:

  1. (1) a firm that falls into any one or more of the following categories:
    1. (a) a regulated entity;
    2. (b) an ELMI;
    3. (c) an insurer;
    4. (d) a BIPRU firm;
    5. (e) a non-BIPRU firm that is a parent financial holding company in a Member State and is a member of a UK consolidation group; and
    6. (f) a firm subject to the rules in IPRU(INV) Chapter 14.
  2. (2) a UCITS firm, but only if its group contains a firm falling into (1); and
  3. (3) the Society.

SYSC 12.1.2

See Notes

handbook-rule

Except as set out in SYSC 12.1.4 R, this section applies with respect to different types of group as follows:

  1. (1) SYSC 12.1.8 R and SYSC 12.1.10 R apply with respect to all groups, including FSA regulated EEA financial conglomerates, other financial conglomerates and groups dealt with in SYSC 12.1.13 R to SYSC 12.1.16 R;
  2. (2) the additional requirements set out in SYSC 12.1.11 R and SYSC 12.1.12 R only apply with respect to FSA regulated EEA financial conglomerates; and
  3. (3) the additional requirements set out in SYSC 12.1.13 R to SYSC 12.1.16 R only apply with respect to groups of the kind dealt with by whichever of those rules apply.

SYSC 12.1.3

See Notes

handbook-rule

This section does not apply to:

  1. (1) an incoming EEA firm; or
  2. (2) an incoming Treaty firm; or
  3. (3) a UCITS qualifier; or
  4. (4) an ICVC; or
  5. (5) an incoming ECA provider acting as such.

SYSC 12.1.4

See Notes

handbook-rule
  1. (1) This rule applies in respect of the following rules:
    1. (a) SYSC 12.1.8R (2);
    2. (b) SYSC 12.1.10R (1), so far as it relates to SYSC 12.1.8R (2);
    3. (c) SYSC 12.1.10R (2); and
    4. (d) SYSC 12.1.11 R to SYSC 12.1.15 R.
  2. (2) The rules referred to in (1):
    1. (a) only apply with respect to a financial conglomerate if it is an FSA regulated EEA financial conglomerate;
    2. (b) (so far as they apply with respect to a group that is not a financial conglomerate) do not apply with respect to a group for which a competent authority in another EEA state is lead regulator;
    3. (c) (so far as they apply with respect to a financial conglomerate) do not apply to a firm with respect to a financial conglomerate of which it is a member if the interest of the financial conglomerate in that firm is no more than a participation;
    4. (d) (so far as they apply with respect to other groups) do not apply to a firm with respect to a group of which it is a member if the only relationship of the kind set out in paragraph (3) of the definition of group between it and the other members of the group is nothing more than a participation; and
    5. (e) do not apply with respect to a third-country group.

SYSC 12.1.5

See Notes

handbook-guidance

For the purpose of this section, a group is defined in the Glossary, and includes the whole of a firm's group, including financial and non-financial undertakings. It also covers undertakings with other links to group members if their omission from the scope of group risk systems and controls would be misleading. The scope of the group systems and controls requirements may therefore differ from the scope of the quantitative requirements for groups.

Purpose

SYSC 12.1.6

See Notes

handbook-guidance

The purpose of this chapter is to set out how the systems and control requirements imposed by SYSC (Senior Management Arrangements, Systems and Controls) apply where a firm is part of a group. If a firm is a member of a group, it should be able to assess the potential impact of risks arising from other parts of its group as well as from its own activities.

SYSC 12.1.7

See Notes

handbook-guidance

This section implements Articles 73(3) (Supervision on a consolidated basis of credit institutions) and 138 (Intra-group transactions with mixed activity holding companies) of the Banking Consolidation Directive, Article 9 of the Financial Groups Directive (Internal control mechanisms and risk management processes) and Article 8 of the Insurance Groups Directive (Intra-group transactions).

General rules

SYSC 12.1.8

See Notes

handbook-rule

A firm must:

  1. (1) have adequate, sound and appropriate risk management processes and internal control mechanisms for the purpose of assessing and managing its own exposure to group risk, including sound administrative and accounting procedures; and
  2. (2) ensure that its group has adequate, sound and appropriate risk management processes and internal control mechanisms at the level of the group, including sound administrative and accounting procedures.

SYSC 12.1.9

See Notes

handbook-guidance

For the purposes of SYSC 12.1.8 R, the question of whether the risk management processes and internal control mechanisms are adequate, sound and appropriate should be judged in the light of the nature, scale and complexity of the group's business and of the risks that the group bears. Risk management processes must include the stress testing and scenario analysis required by GENPRU 1.2.42 R and GENPRU 1.2.49R (1)(b).

SYSC 12.1.10

See Notes

handbook-rule

The internal control mechanisms referred to in SYSC 12.1.8 R must include:

  1. (1) mechanisms that are adequate for the purpose of producing any data and information which would be relevant for the purpose of monitoring compliance with any prudential requirements (including any reporting requirements and any requirements relating to capital adequacy, solvency, systems and controls and large exposures):
    1. (a) to which the firm is subject with respect to its membership of a group; or
    2. (b) that apply to or with respect to that group or part of it; and
  2. (2) mechanisms that are adequate to monitor funding within the group.

Financial conglomerates

SYSC 12.1.11

See Notes

handbook-rule

Where this section applies with respect to a financial conglomerate, the risk management processes referred to in SYSC 12.1.8R (2) must include:

  1. (1) sound governance and management processes, which must include the approval and periodic review by the appropriate managing bodies within the financial conglomerate of the strategies and policies of the financial conglomerate in respect of all the risks assumed by the financial conglomerate, such review and approval being carried out at the level of the financial conglomerate;
  2. (2) adequate capital adequacy policies at the level of the financial conglomerate, one of the purposes of which must be to anticipate the impact of the business strategy of the financial conglomerate on its risk profile and on the capital adequacy requirements to which it and its members are subject;
  3. (3) adequate procedures for the purpose of ensuring that the risk monitoring systems of the financial conglomerate and its members are well integrated into their organisation; and
  4. (4) adequate procedures for the purpose of ensuring that the systems and controls of the members of the financial conglomerate are consistent and that the risks can be measured, monitored and controlled at the level of the financial conglomerate.

SYSC 12.1.12

See Notes

handbook-rule

Where this section applies with respect to a financial conglomerate, the internal control mechanisms referred to in SYSC 12.1.8R (2) must include:

  1. (1) mechanisms that are adequate to identify and measure all material risks incurred by members of the financial conglomerate and appropriately relate capital in the financial conglomerate to risks; and
  2. (2) sound reporting and accounting procedures for the purpose of identifying, measuring, monitoring and controlling intra-group transactions and risk concentrations.

BIPRU firms and other firms to which BIPRU 8 applies

SYSC 12.1.13

See Notes

handbook-rule

If this rule applies under SYSC 12.1.14 R to a firm, the firm must:

  1. (1) comply with SYSC 12.1.8R (2) in relation to any UK consolidation group or non-EEA sub-group of which it is a member, as well as in relation to its group; and
  2. (2) ensure that the risk management processes and internal control mechanisms at the level of any UK consolidation group or non-EEA sub-group of which it is a member comply with the obligations set out in the following provisions on a consolidated (or sub-consolidated) basis:
    1. (a) SYSC 4.1.1 R and SYSC 4.1.2 R;
    2. (b) SYSC 4.1.7 R;
    3. (c) SYSC 5.1.7 R;
    4. (d) SYSC 7;
    5. (e) BIPRU 12.3.4 R, BIPRU 12.3.5 R, BIPRU 12.3.8 R (3) , BIPRU 12.3.22A R, BIPRU 12.3.22B R, BIPRU 12.3.27 R, BIPRU 12.4.-2 R, BIPRU 12.4.-1 R, BIPRU 12.4.5A R, BIPRU 12.4.10 R and BIPRU 12.4.11 R;
    6. (f) BIPRU 2.3.7 R (1);
    7. (g) BIPRU 9.1.6 R and BIPRU 9.13.21 R (Liquidity plans);
    8. (h) BIPRU 10.12.3 R (Concentration risk policies).

[Note: article 73(3) of the Banking Consolidation Directive]

SYSC 12.1.14

See Notes

handbook-rule

SYSC 12.1.13 R applies to a firm that is:

  1. (1) an ELMI;
  2. (2) a BIPRU firm; or
  3. (3) a non-BIPRU firm that is a parent financial holding company in a Member State and is a member of a UK consolidation group.

SYSC 12.1.15

See Notes

handbook-rule

In the case of a firm that:

the risk management processes and internal control mechanisms referred to in SYSC 12.1.8 R must include sound reporting and accounting procedures and other mechanisms that are adequate to identify, measure, monitor and control transactions between the firm's parent undertaking mixed-activity holding company and any of the mixed-activity holding company's subsidiary undertakings.

Insurance undertakings

SYSC 12.1.16

See Notes

handbook-rule
In the case of an insurer that has a mixed-activity insurance holding company as a parent undertaking, the risk management processes and internal control mechanisms referred to in SYSC 12.1.8 R must include sound reporting and accounting procedures and other mechanisms that are adequate to identify, measure, monitor and control transactions between the firm's parent undertaking mixed-activity insurance holding company and any of the mixed-activity insurance holding company's subsidiary undertakings.

Nature and extent of requirements and allocation of responsibilities within the group

SYSC 12.1.18

See Notes

handbook-guidance
Assessment of the adequacy of a group's systems and controls required by this section will form part of the FSA's risk management process.

SYSC 12.1.19

See Notes

handbook-guidance
The nature and extent of the systems and controls necessary under SYSC 12.1.8R (1) to address group risk will vary according to the materiality of those risks to the firm and the position of the firm within the group.

SYSC 12.1.20

See Notes

handbook-guidance
In some cases the management of the systems and controls used to address the risks described in SYSC 12.1.8R (1) may be organised on a group-wide basis. If the firm is not carrying out those functions itself, it should delegate them to the group members that are carrying them out. However, this does not relieve the firm of responsibility for complying with its obligations under SYSC 12.1.8R (1). A firm cannot absolve itself of such a responsibility by claiming that any breach of that rule is caused by the actions of another member of the group to whom the firm has delegated tasks. The risk management arrangements are still those of the firm, even though personnel elsewhere in the firm's group are carrying out these functions on its behalf.

SYSC 12.1.21

See Notes

handbook-guidance
SYSC 12.1.8R (1) deals with the systems and controls that a firm should have in respect of the exposure it has to the rest of the group. On the other hand, the purpose of SYSC 12.1.8R (2) and the rules in this section that amplify it is to require groups to have adequate systems and controls. However a group is not a single legal entity on which obligations can be imposed. Therefore the obligations have to be placed on individual firms. The purpose of imposing the obligations on each firm in the group is to make sure that the FSA can take supervisory action against any firm in a group whose systems and controls do not meet the standards in this section. Thus responsibility for compliance with the rules for group systems and controls is a joint one.

SYSC 12.1.22

See Notes

handbook-guidance
If both a firm and its parent undertaking are subject to SYSC 12.1.8R (2), the FSA would not expect systems and controls to be duplicated. In this case, the firm should assess whether and to what extent it can rely on its parent's group risk systems and controls.

Export chapter as

SYSC 13

Operational risk: systems and controls for insurers

SYSC 13.1

Application

SYSC 13.1.1

See Notes

handbook-guidance

SYSC 13 applies to an insurer unless it is:

SYSC 13.1.2

See Notes

handbook-guidance

SYSC 13 applies to:

only in respect of the activities of the firm carried on from a branch in the United Kingdom.

SYSC 13.1.3

See Notes

handbook-guidance
SYSC 13 applies to a UK ISPV.

SYSC 13.1.4

See Notes

handbook-guidance
SYSC 13 does not apply to an incoming ECA provider acting as such.

SYSC 13.2

Purpose

SYSC 13.2.1

See Notes

handbook-guidance
SYSC 13 provides guidance on how to interpret SYSC 3.1.1 R and SYSC 3.2.6 R, which deal with the establishment and maintenance of systems and controls, in relation to the management of operational risk. Operational risk has been described by the Basel Committee on Banking Supervision as "the risk of loss, resulting from inadequate or failed internal processes, people and systems, or from external events". This chapter covers systems and controls for managing risks concerning any of a firm's operations, such as its IT systems and outsourcing arrangements. It does not cover systems and controls for managing credit, market, liquidity and insurance risk.

SYSC 13.2.2

See Notes

handbook-guidance
Operational risk is a concept that can have a different application for different firms. A firm should assess the appropriateness of the guidance in this chapter in the light of the scale, nature and complexity of its activities as well as its obligations as set out in Principle 3, to organise and control its affairs responsibly and effectively.