SYSC Senior Management Arrangements, Systems and Controls sourcebook

You are viewing the Handbook in the past on 31/12/2004

View Handbook as at:

Export part as

SYSC 1

Application and purpose

SYSC 1.1

Application of SYSC 2 and SYSC 3

01/12/2004

Purpose of this section

SYSC 1.1.-2

This section sets out the application of SYSC 2 Senior management arrangements and SYSC 3 Systems and controls.

01/12/2001

SYSC 1.1.-1

The application of SYSC 3A (Operational Risk: Systems and Controls) is set out in SYSC 3A.1.1 G and SYSC 3A.1.2 G. The application of SYSC 4 (Guidance on Public Interest Disclosure Act: Whistleblowing) is set out in SYSC 4.1.1 R Application.

31/12/2004

Who?

SYSC 1.1.1

SYSC 2 and SYSC 3 apply to every firm except that:

(1) for an incoming EEA firm or an incoming Treaty firm:

(a) SYSC 2.1.1 R and SYSC 2.1.2 G do not apply;
(b) SYSC 2.1.3 R to SYSC 2.2.3 G apply, but only in relation to allocation of the function in SYSC 2.1.3 R (2) and only in so far as responsibility for the matter in question is not reserved by a European Community instrument to the firm's Home State regulator; and
(c) SYSC 3 applies, but only in so far as responsibility for the matter in question is not reserved by a European Community instrument to the firm's Home State regulator;

(2) for an incoming EEA firm which has permission only for cross border services and which does not carry on regulated activities in the United Kingdom, SYSC 2 and SYSC 3 do not apply;
(3) SYSC 2 does not apply to a sole trader as long as he does not employ any person who is required to be approved under section 59 of the Act (Approval for particular arrangements); and
(4) for a UCITS qualifier:

(a) SYSC 2.1.1 R and SYSC 2.1.2 G do not apply;
(b) SYSC 2.1.3 R to SYSC 2.2.3 G apply, but only in relation to allocation of the function in SYSC 2.1.3 R (2) and only with respect to the activities in SYSC 1.1.4 R;
(c) SYSC 3 applies, but only with respect to the activities in SYSC 1.1.4 R.;

31/10/2004
Future version of SYSC 1.1.1 after 01/03/2006

SYSC 1.1.2

(1) Question 12 in SYSC 2.1.6 G and SYSC App 1 contain guidance on SYSC 1.1.1 R (1)(b) and (c).
(2) SYSC 1.1.7 R and SYSC 1.1.10 R further restrict the territorial application of SYSC 2 and SYSC 3 for an incoming EEA firm, incoming Treaty firm or UCITS qualifier.
(3) SYSC 1.1.1 R (4) puts incoming EEA firm on an equal footing with unauthorised overseas persons who utilise the overseas persons exclusions in article 72 of the Regulated Activities Order.

31/10/2004
Future version of SYSC 1.1.2 after 01/11/2007

What?

SYSC 1.1.3

SYSC 2 and SYSC 3 apply with respect to the carrying on of:

(1) regulated activities;
(2) activities that constitute dealing in investments as principal, disregarding the exclusion in article 15 of the Regulated Activities Order (Absence of holding out etc); and
(3) ancillary activities in relation to designated investment business, home finance activity and insurance mediation activity.;

except that SYSC 3.2.6A R to SYSC 3.2.6J G do not apply as described in SYSC 1.1.3A R.

01/05/2002
Future version of SYSC 1.1.3 after 01/03/2006

SYSC 1.1.4

SYSC 2 and SYSC 3 also apply with respect to the communication and approval of financial promotions which:

(1) if communicated by an unauthorised person without approval would contravene section 21(1) of the Act (Restrictions on financial promotion); and
(2) may be communicated by a firm without contravening section 238(1) of the Act (Restrictions on promotion of collective investment schemes).

01/05/2002
Future version of SYSC 1.1.4 after 01/03/2006

SYSC 1.1.5

SYSC 2 and SYSC 3 also:

(1) apply with respect to the carrying on of unregulated activities in a prudential context; and
(2) take into account any activity of other members of a group of which the firm is a member.

01/02/2004
Future version of SYSC 1.1.5 after 01/03/2006

SYSC 1.1.6

SYSC 1.1.5 R (2) does not mean that inadequacy of a group member's systems and controls will automatically lead to a firm contravening, for example, SYSC 3.1.1 R. Rather, the potential impact of a group member's activities, including its systems and controls, and any systems and controls that operate on a group basis, will be relevant in determining the appropriateness of the firm's own systems and controls.

01/12/2001

Where?

SYSC 1.1.7

SYSC 2 and SYSC 3 apply with respect to activities carried on from an establishment maintained by the firm (or its appointed representative) in the United Kingdom unless another applicable rule which is relevant to the activity has a wider territorial scope, in which case SYSC 2 and SYSC 3 apply with that wider scope in relation to the activity described in that rule.

01/05/2002
Future version of SYSC 1.1.7 after 01/11/2007

SYSC 1.1.8

An example of the type of rule referred to in SYSC 1.1.7 R with a different territorial scope is the rules in CASS 2 (Custody). CASS 2 applies, for certain UK firms, to activities carried on from branches in other EEA States as well as UK establishments (CASS 1.3.3 R (General application where?)). Therefore SYSC 2 and SYSC 3 apply to the custody activities described in CASS 2 carried on from such a branch by such a UK firm. The UK firm must, for example, take reasonable care to establish systems and controls under SYSC 3.1.1 R as are appropriate to those activities carried on from its EEA branches as well as from its UK establishments.

01/05/2002
Future version of SYSC 1.1.8 after 01/11/2007

SYSC 1.1.9

SYSC 2 and SYSC 3 also apply in a prudential context to a UK domestic firm with respect to activities wherever they are carried on.

01/05/2002
Future version of SYSC 1.1.9 after 01/03/2006

SYSC 1.1.10

SYSC 3 also applies in a prudential context to an overseas firm (other than an incoming EEA firm, incoming Treaty firm or UCITS qualifier) with respect to activities wherever they are carried on.

01/12/2001
Future version of SYSC 1.1.10 after 01/03/2006

SYSC 1.1.11

(1) In considering whether to take regulatory action under SYSC 2 or SYSC 3 in relation to activities carried on outside the United Kingdom, the FSA will take into account the standards expected in the market in which the firm is operating.
(2) Most of the rules in SYSC 3 are linked to other requirements and standards under the regulatory system which have their own territorial limitations so that those SYSC rules are similarly limited in scope.

01/05/2002

SYSC 1.1.11A

ECO 1.1.6 R has the effect that SYSC does not apply to an incoming ECA provider acting as such.

01/11/2002

Actions for damages

SYSC 1.1.12

A contravention of the rules in SYSC 2 and SYSC 3 does not give rise to a right of action by a private person under section 150 of the Act (and each of those rules is specified under section 150(2) of the Act as a provision giving rise to no such right of action).

01/05/2002

SYSC 1.2

Purpose

01/12/2004

SYSC 1.2.1

The purposes of SYSC are:

(1) to encourage firms' directors and senior managers to take appropriate practical responsibility for their firms' arrangements on matters likely to be of interest to the FSA because they impinge on the FSA's functions under the Act;
(2) to increase certainty by amplifying Principle 3, under which a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems; and
(3) to encourage firms to vest responsibility for effective and responsible organisation in specific directors and senior managers.

01/12/2001
Future version of SYSC 1.2.1 after 01/01/2007

SYSC 1.2.2

The main matters, referred to in SYSC 1.2.1 G (1), which are likely to be of interest to the FSA are those which relate to confidence in the financial system; to the fair treatment of firms' customers; to the protection of consumers; and to the use of the financial system in connection with financial crime. The FSA is not primarily concerned with risks which threaten only the owners of a financial business except in so far as these risks may have an impact on those matters.

01/12/2001

Export chapter as

SYSC 2

Senior management arrangements

SYSC 2.1

Apportionment of Responsibilities

01/12/2004

SYSC 2.1.1

A firm must take reasonable care to maintain a clear and appropriate apportionment of significant responsibilities among its directors and senior managers in such a way that:

(1) it is clear who has which of those responsibilities; and
(2) the business and affairs of the firm can be adequately monitored and controlled by the directors, relevant senior managers and governing body of the firm.

01/12/2001
Future version of SYSC 2.1.1 after 01/04/2013

SYSC 2.1.2

The role undertaken by a non-executive director will vary from one firm to another. For example, the role of a non-executive director in a friendly society may be more extensive than in other firms. Where a non-executive director is an approved person, for example where the firm is a body corporate, his responsibility and therefore liability will be limited by the role that he undertakes. Provided that he has personally taken due care in his role, a non-executive director would not be held discipliniarily liable either for the failings of the firm or for those of individuals within the firm. The non-executive director function, for the purposes of the approved persons regime, is described in SUP 10.

01/12/2001
Future version of SYSC 2.1.2 after 01/05/2011

SYSC 2.1.3

A firm must appropriately allocate to one or more individuals, in accordance with SYSC 2.1.4 R, the functions of:

(1) dealing with the apportionment of responsibilities under SYSC 2.1.1 R; and
(2) overseeing the establishment and maintenance of systems and controls under SYSC 3.1.1 R.

01/12/2001
Future version of SYSC 2.1.3 after 01/04/2013

SYSC 2.1.4

Allocation of functions

This table belongs to SYSC 2.1.3 R

1: Firm type

2: Allocation of both functions must be to the following individual, if any (see Note):

3: Allocation to one or more individuals selected from this column is compulsory if there is no allocation to an individual in column 2, but is otherwise optional and additional:

(1) A firm which is a body corporate and is a member of a group, other than a firm in row (2)

(1) the firm's chief executive (and all of them jointly, if more than one); or

the firm's and its group's:
(1) directors; and (2) senior managers

(2) a director or senior manager responsible for the overall management of:

(a) the group; or (b) a group division within which some or all of the firm's regulated activities fall

(2) An incoming EEA firm or incoming Treaty firm (note: only the function in SYSC 2.1.3 R (2) must be allocated)

(not applicable)

the firm's and its group's:
(1) directors; and (2) senior managers

(3) Any other firm

the firm's chief executive (and all of them jointly, if more than one)

the firm's and its group's:
(1) directors; and (2) senior manager's

Note: Column 2 does not require the involvement of the chief executive or other executive director or senior manager in an aspect of corporate governance if that would be contrary to generally accepted principles of good corporate governance.

01/12/2001
Future version of SYSC 2.1.4 after 01/04/2013

SYSC 2.1.5

SYSC 2.1.3 R and SYSC 2.1.4 R give a firm some flexibility in the individuals to whom the functions may be allocated. It will be common for both the functions to be allocated solely to the firm's chief executive. SYSC 2.1.6 G contains further guidance on the requirements of SYSC 2.1.3 R and SYSC 2.1.4 R in a question and answer form.

01/12/2001
Future version of SYSC 2.1.5 after 01/04/2013

SYSC 2.1.6

Frequently asked questions about allocation of functions in SYSC 2.1.3 R

This table belongs to SYSC 2.1.5 G

Question

Answer

Does an individual to whom a function is allocated under SYSC 2.1.3 R need to be an approved person?

An individual to whom a function is allocated under SYSC 2.1.3 R will be performing the apportionment and oversight function (CF 8, see SUP 10.7.1 R ) and an application must be made to the FSA for approval of the individual before the function is performed under section 59 of the Act (Approval for particular arrangements). There are exceptions from this in SUP 10.1 (Approved persons - Application). In particular, an incoming EEA firm is referred to the EEA investment business oversight function (CF 9, see SUP 10.7.6 R).

If the allocation is to more than one individual, can they perform the functions, or aspects of the functions, separately?

If the functions are allocated to joint chief executives under SYSC 2.1.4 R, column 2, they are expected to act jointly. If the functions are allocated to an individual under SYSC 2.1.4 R, column 2, in addition to individuals under SYSC 2.1.4 R, column 3, the former may normally be expected to perform a leading role in relation to the functions that reflects his position. Otherwise, yes.

What is meant by "appropriately allocate" in this context?

The allocation of functions should be compatible with delivering compliance with Principle 3, SYSC 2.1.1 R and SYSC 3.1.1 R. The FSA considers that allocation to one or two individuals is likely to be appropriate for most firms.

If a committee of management governs a firm or group, can the functions be allocated to every member of that committee?

Yes, as long as the allocation remains appropriate (see Question 3). If the firm also has an individual as chief executive, then the functions must be allocated to that individual as well under SYSC 2.1.4 R, column 2 (see Question 7).

Does the definition of chief executive include the possessor of equivalent responsibilities with another title, such as a managing director or managing partner?

Yes.

Is it possible for a firm to have more than one individual as its chief executive?

Although unusual, some firm may wish the responsibility of a chief executive to be held jointly by more than one individual. In that case, each of them will be a chief executive and the functions must be allocated to all of them under SYSC 2.1.4 R, column 2 (see also Questions 2 and 7).

If a firm has an individual as chief executive, must the functions be allocated to that individual?

Normally, yes, under SYSC 2.1.4 R, column 2.
But if the firm is a body corporate and a member of a group, the functions may, instead of to the firm's chief executive, be allocated to a director or senior manager from the group responsible for the overall management of the group or of a relevant group division, so long as this is appropriate (see Question 3). Such individuals will nevertheless require approval by the FSA (see Question 1).
If the firm chooses to allocate the functions to a director or senior manager responsible for the overall management of a relevant group division, the FSA would expect that individual to be of a seniority equivalent to or greater than a chief executive of the firm for the allocation to be appropriate.
See also Question 14.

If a firm has a chief executive, can the functions be allocated to other individuals in addition to the chief executive?

Yes. SYSC 2.1.4 R, column 3, permits a firm to allocate the functions, additionally, to the firm's (or where applicable the group's) directors and senior managers as long as this is appropriate (see Question 3).

What if a firm does not have a chief executive?

Normally, the functions must be allocated to one or more individuals selected from the firm's (or where applicable the group's) directors and senior managers under SYSC 2.1.4 R, column 3.
But if the firm:
(1) is a body corporate and a member of a group; and
(2) the group has a director or senior manager responsible for the overall management of the group or of a relevant group division;
then the functions must be allocated to that individual (together, optionally, with individuals from column 3 if appropriate) under SYSC 2.1.4 R, column 2.

What do you mean by "group division within which some or all of the firm's regulated activities fall"?

A "division" in this context should be interpreted by reference to geographical operations, product lines or any other method by which the group's business is divided.
If the firm's regulated activities fall within more than one division and the firm does not wish to allocate the functions to its chief executive, the allocation must, under SYSC 2.1.4 R, be to:
(1) a director or senior manager responsible for the overall management of the group; or
(2) a director or senior manager responsible for the overall management of one of those divisions;
together, optionally, with individuals from column 3 if appropriate. (See also Questions 7 and 9.)

How does the requirement to allocate the functions in SYSC 2.1.3 R apply to an overseas firm which is not an incoming EEA firm, incoming Treaty firm or UCITS qualifier?

The firm must appropriately allocate those functions to one or more individuals, in accordance with SYSC 2.1.4 R, but:
(1) The responsibilities that must be apportioned and the systems and controls that must be overseen are those relating to activities carried on from a UK establishment with certain exceptions (see SYSC 1.1.7 R). Note that SYSC 1.1.10 R does not extend the territorial scope of SYSC 2 for an overseas firm.
(2) The chief executive of an overseas firm is the person responsible for the conduct of the firm's business within the United Kingdom (see the definition of "chief executive"). This might, for example, be the manager of the firm's UK establishment, or it might be the chief executive of the firm as a whole, if he has that responsibility.
The apportionment and oversight function applies to such a firm, unless it falls within a particular exception from the approved persons regime (see Question 1).

How does the requirement to allocate the functions in SYSC 2.1.3 R apply to an incoming EEA firm or incoming Treaty firm?

SYSC 1.1.1 R (2) and SYSC 1.1.7 R restrict the application of SYSC 2.1.3 R for such a firm. Accordingly:
(1) Such a firm is not required to allocate the function of dealing with apportionment in SYSC 2.1.3 R (1).
(2) Such a firm is required to allocate the function of oversight in SYSC 2.1.3 R (2). However, the systems and controls that must be overseen are those relating to matters which the FSA, as Host State regulator, is entitled to regulate (there is guidance on this in SYSC App 1). Those are primarily, but not exclusively, the systems and controls relating to the conduct of the firm's activities carried on from its UK branch.
(3) Such a firm need not allocate the function of oversight to its chief executive; it must allocate it to one or more directors and senior managers of the firm or the firm's group under SYSC 2.1.4 R, row (2).
(4) An incoming EEA firm which has provision only for cross border services is not required to allocate either function if it does not carry on regulated activities in the United Kingdom; for example if they fall within the overseas persons exclusions in article 72 of the Regulated Activities Order.
See also Questions 1 and 15.

What about a firm that is a partnership or a limited liability partnership?

The FSA envisages that most if not all partners or members will be either directors or senior managers, but this will depend on the constitution of the partnership (particularly in the case of a limited partnership) or limited liability partnership. A partnership or limited liability partnership may also have a chief executive (see Question 5). A limited liability partnership is a body corporate and, if a member of a group, will fall within SYSC 2.1.4 R, row (1) or (2).

What if generally accepted principles of good corporate governance recommend that the chief executive should not be involved in an aspect of corporate governance?

The Note to SYSC 2.1.4 R provides that the chief executive or other executive director or senior manager need not be involved in such circumstances. For example, the Combined Code developed by the Committee on Corporate Governance recommends that the board of a listed company should establish an audit committee of non-executive directors to be responsible for oversight of the audit. That aspect of the oversight function may therefore be allocated to the members of such a committee without involving the chief executive. Such individuals may require approval by the FSAin relation to that function (see Question 1).

What about incoming electronic commerce activities?

ECO 1.1.6 R has the effect that SYSC does not apply to an incoming ECA provider acting as such.

01/02/2004
Future version of SYSC 2.1.6 after 01/11/2007

SYSC 2.2

Recording the apportionment

01/12/2004

SYSC 2.2.1

(1) A firm must make a record of the arrangements it has made to satisfy SYSC 2.1.1 R (apportionment) and SYSC 2.1.3 R (allocation) and take reasonable care to keep this up to date.
(2) This record must be retained for six years from the date on which it was superseded by a more up-to-date record.

01/12/2001
Future version of SYSC 2.2.1 after 01/04/2013

SYSC 2.2.2

(1) A firm will be able to comply with SYSC 2.2.1 R by means of records which it keeps for its own purposes provided these records satisfy the requirements of SYSC 2.2.1 R and provided the firm takes reasonable care to keep them up to date. Appropriate records might, for this purpose, include organisational charts and diagrams, project management documents, job descriptions, committee constitutions and terms of reference provided they show a clear description of the firm's major functions.
(2) Firms should record any material change to the arrangements described in SYSC 2.2.1 R as soon as reasonably practicable after that change has been made.

01/12/2001
Future version of SYSC 2.2.2 after 01/04/2013

SYSC 2.2.3

Where responsibilities have been allocated to more than one individual, the firm's record should show clearly how those responsibilities are shared or divided between the individuals concerned.

01/12/2001
Future version of SYSC 2.2.3 after 01/04/2013

Export chapter as

SYSC 3

Systems and Controls

SYSC 3.1

Systems and Controls

01/12/2004

SYSC 3.1.1

A firm must take reasonable care to establish and maintain such systems and controls as are appropriate to its business.

01/12/2001
Future version of SYSC 3.1.1 after 01/04/2013

SYSC 3.1.2

(1) The nature and extent of the systems and controls which a firm will need to maintain under SYSC 3.1.1 R will depend upon a variety of factors including:

(a) the nature, scale and complexity of its business;
(b) the diversity of its operations, including geographical diversity;
(c) the volume and size of its transactions; and
(d) the degree of risk associated with each area of its operation.

(2) To enable it to comply with its obligation to maintain appropriate systems and controls, a firm should carry out a regular review of them.
(3) The areas typically covered by the systems and controls referred to in SYSC 3.1.1 R are those identified in SYSC 3.2. Detailed requirements regarding systems and controls relevant to particular business areas or particular types of firm are covered elsewhere in the Handbook.

01/12/2001
Future version of SYSC 3.1.2 after 01/04/2013

SYSC 3.1.3

Where the Combined Code developed by the Committee on Corporate Governance is relevant to a firm, the FSA, in considering whether the firm's obligations under SYSC 3.1.1 R have been met, will give it due credit for following corresponding provisions in the Code and related guidance.

01/12/2001
Future version of SYSC 3.1.3 after 06/08/2010

SYSC 3.1.4

A firm has specific responsibilities regarding its appointed representatives (see SUP 12).

01/12/2001
Future version of SYSC 3.1.4 after 01/11/2007

SYSC 3.1.5

SYSC 2.1.3 R (2) prescribes how a firm must allocate the function of overseeing the establishment and maintenance of systems and controls described in SYSC 3.1.1 R.

01/12/2001
Future version of SYSC 3.1.5 after 01/04/2013

SYSC 3.2

Areas covered by systems and controls

01/12/2004

Introduction

SYSC 3.2.1

This section covers some of the main issues which a firm is expected to consider in establishing and maintaining the systems and controls appropriate to its business, as required by SYSC 3.1.1 R.

01/12/2001
Future version of SYSC 3.2.1 after 01/04/2013

Organisation

SYSC 3.2.2

A firm's reporting lines should be clear and appropriate having regard to the nature, scale and complexity of its business. These reporting lines, together with clear management responsibilities, should be communicated as appropriate within the firm.

01/12/2001
Future version of SYSC 3.2.2 after 01/04/2013

SYSC 3.2.3

(1) A firm's governing body is likely to delegate many functions and tasks for the purpose of carrying out its business. When functions or tasks are delegated, either to employees or to appointed representatives, appropriate safeguards should be put in place.
(2) When there is delegation, a firm should assess whether the recipient is suitable to carry out the delegated function or task, taking into account the degree of responsibility involved.
(3) The extent and limits of any delegation should be made clear to those concerned.
(4) There should be arrangements to supervise delegation, and to monitor the discharge of delegates functions or tasks.
(5) If cause for concern arises through supervision and monitoring or otherwise, there should be appropriate follow-up action at an appropriate level of seniority within the firm.

01/12/2001
Future version of SYSC 3.2.3 after 01/11/2007

SYSC 3.2.4

(1) The guidance relevant to delegation within the firm is also relevant to external delegation ('outsourcing'). A firm cannot contract out its regulatory obligations. So, for example, under Principle 3 a firm should take reasonable care to supervise the discharge of outsourced functions by its contractor.
(2) A firm should take steps to obtain sufficient information from its contractor to enable it to assess the impact of outsourcing on its systems and controls.

01/12/2001
Future version of SYSC 3.2.4 after 01/04/2013

SYSC 3.2.5

Where it is made possible and appropriate by the nature, scale and complexity of its business, a firm should segregate the duties of individuals and departments in such a way as to reduce opportunities for financial crime or contravention of requirements and standards under the regulatory system. For example, the duties of front-office and back-office staff should be segregated so as to prevent a single individual initiating, processing and controlling transactions.

01/12/2001
Future version of SYSC 3.2.5 after 01/04/2013

Compliance

SYSC 3.2.6

A firm must take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that the firm might be used to further financial crime.

01/12/2001

SYSC 3.2.7

(1) Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to have a separate compliance function. The organisation and responsibilities of a compliance function should be documented. A compliance function should be staffed by an appropriate number of competent staff who are sufficiently independent to perform their duties objectively. It should be adequately resourced and should have unrestricted access to the firm's relevant records as well as ultimate recourse to its governing body.
(2) The regulatory objectives are defined in section 2 of the Act and include the reduction of financial crime. This objective is more fully described in section 6 of the Act. This describes financial crime as including any offence involving (a) fraud or dishonesty, (b) misconduct in, or misuse of information relating to, a financial market, or (c) handling the proceeds of crime.
(3) In applying SYSC 3.2.6 R, where financial crime is concerned, firms must also comply with other Handbook requirements (in particular, ML) and their legal obligations under the Money Laundering Regulations and the Proceeds of Crime Act 2002.

01/03/2004
Future version of SYSC 3.2.7 after 01/03/2006

SYSC 3.2.8

(1) A firm which carries on designated investment business with or for customers must allocate to a director or senior manager the function of:

(a) having responsibility for oversight of the firm's compliance; and
(b) reporting to the governing body in respect of that responsibility.

(2) In SYSC 3.2.8 R (1) (1) "compliance" means compliance with the rules in:

(a) COB COBS (Conduct of Business);
(b) COLL (New Collective Investment Schemes) and CIS (Collective Investment Schemes) sourcebook); and
(c) CASS (Client Assets)

01/04/2004
Future version of SYSC 3.2.8 after 01/11/2007

SYSC 3.2.9

(1) SUP 10.7.8 R uses SYSC 3.2.8 R to describe the controlled function, known as the compliance oversight function, of acting in the capacity of a director or senior manager to whom this function is allocated.
(2) The rules referred to in SYSC 3.2.8 R (2) are the minimum area of focus for the firm's compliance oversight function. A firm is free to give additional responsibilities to a person performing this function if it wishes.

01/12/2001

Risk assessment

SYSC 3.2.10

(1) Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to have a separate risk assessment function responsible for assessing the risks that the firm faces and advising the governing body and senior managers on them.
(2) The organisation and responsibilities of a risk assessment function should be documented. The function should be adequately resourced and staffed by an appropriate number of competent staff who are sufficiently independent to perform their duties objectively.
(3) The term 'risk assessment function' refers to the generally understood concept of risk assessment within a firm, that is, the function of setting and controlling risk exposure. The risk assessment function is not a controlled function itself, but is part of the systems and controls function (CF28).

01/12/2001
Future version of SYSC 3.2.10 after 01/11/2007

Management information

SYSC 3.2.11

(1) A firm's arrangements should be such as to furnish its governing body with the information it needs to play its part in identifying, measuring, managing and controlling risks of regulatory concern. Three factors will be the relevance, reliability and timeliness of that information.
(2) Risks of regulatory concern are those risks which relate to the fair treatment of the firm's customers, to the protection of consumers, to confidence in the financial system, and to the use of that system in connection with financial crime.

01/12/2001
Future version of SYSC 3.2.11 after 06/08/2010

SYSC 3.2.12

It is the responsibility of the firm to decide what information is required, when, and for whom, so that it can organise and control its activities and can comply with its regulatory obligations. The detail and extent of information required will depend on the nature, scale and complexity of the business.

01/12/2001
Future version of SYSC 3.2.12 after 01/04/2013

Employees and agents

SYSC 3.2.13

A firm's systems and controls should enable it to satisfy itself of the suitability of anyone who acts for it.

01/12/2001
Future version of SYSC 3.2.13 after 01/04/2013

SYSC 3.2.14

(1) SYSC 3.2.13 G includes assessing an individual's honesty, and competence. This assessment should normally be made at the point of recruitment. An individual's honesty need not normally be revisited unless something happens to make a fresh look appropriate.
(2) Any assessment of an individual's suitability should take into account the level of responsibility that the individual will assume within the firm. The nature of this assessment will generally differ depending upon whether it takes place at the start of the individual's recruitment, at the end of the probationary period (if there is one) or subsequently.
(3) The FSA's detailed requirements on firms with respect to the competence of individuals are in the Training and Competence sourcebook (TC).[deleted]
(4) The requirements on firms with respect to approved persons are in Part V of the Act (Performance of regulated activities) and SUP 10.

01/12/2001
Future version of SYSC 3.2.14 after 01/11/2007

Audit committee

SYSC 3.2.15

Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to form an audit committee. An audit committee could typically examine management's process for ensuring the appropriateness and effectiveness of systems and controls, examine the arrangements made by management to ensure compliance with requirements and standards under the regulatory system, oversee the functioning of the internal audit function (if applicable - see SYSC 3.2.16 G) and provide an interface between management and the external auditors. It should have an appropriate number of non-executive directors and it should have formal terms of reference.

01/12/2001
Future version of SYSC 3.2.15 after 01/11/2007

Internal audit

SYSC 3.2.16

Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to delegate much of the task of monitoring the appropriateness and effectiveness of its systems and controls to an internal audit function. An internal audit function should have clear responsibilities and reporting lines to an audit committee or appropriate senior manager, be adequately resourced and staffed by competent individuals, be independent of the day-to-day activities of the firm and have appropriate access to a firm's records.

(1) Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to delegate much of the task of monitoring the appropriateness and effectiveness of its systems and controls to an internal audit function. An internal audit function should have clear responsibilities and reporting lines to an audit committee or appropriate senior manager, be adequately resourced and staffed by competent individuals, be independent of the day-to-day activities of the firm and have appropriate access to a firm's records.
(2) The term 'internal audit function' refers to the generally understood concept of internal audit within a firm, that is, the function of assessing adherence to and the effectiveness of internal systems and controls, procedures and policies. The internal audit function is not a controlled function itself, but is part of the systems and controls function (CF28).

01/12/2001
Future version of SYSC 3.2.16 after 01/11/2007

Business strategy

SYSC 3.2.17

A firm should plan its business appropriately so that it is able to identify, measure, manage and control risks of regulatory concern (see SYSC 3.2.11 G (2)). In some firms, depending on the nature, scale and complexity of their business, it may be appropriate to have business plans or strategy plans documented and updated on a regular basis to take account of changes in the business environment.

01/12/2001
Future version of SYSC 3.2.17 after 01/04/2013

Remuneration policies

SYSC 3.2.18

It is possible that firms' remuneration policies will from time to time lead to tensions between the ability of the firm to meet the requirements and standards under the regulatory system and the personal advantage of those who act for it. Where tensions exist, these should be appropriately managed.

01/12/2001
Future version of SYSC 3.2.18 after 01/04/2013

Business continuity

SYSC 3.2.19

A firm should have in place appropriate arrangements, having regard to the nature, scale and complexity of its business, to ensure that it can continue to function and meet its regulatory obligations in the event of an unforeseen interruption. These arrangements should be regularly updated and tested to ensure their effectiveness.

01/12/2001
Future version of SYSC 3.2.19 after 01/04/2013

Records

SYSC 3.2.20

(1) A firm must take reasonable care to make and retain adequate records of matters and dealings (including accounting records) which are the subject of requirements and standards under the regulatory system.
(2) Subject to (3) and to any other record-keeping rule in the Handbook, the records required by (1) or by such other rule must be capable of being reproduced in the English language on paper.
(3) If a firm's records relate to business carried on from an establishment in a country or territory outside the United Kingdom, an official language of that country or territory may be used instead of the English language as required by (2).

01/12/2001
Future version of SYSC 3.2.20 after 01/04/2013

SYSC 3.2.21

A firm should have appropriate systems and controls in place to fulfil the firm's regulatory and statutory obligations with respect to adequacy, access, periods of retention and security of records. The general principle is that records should be retained for as long as is relevant for the purposes for which they are made.

01/12/2001
Future version of SYSC 3.2.21 after 01/04/2013

SYSC 3.2.22

Detailed record-keeping requirements for different types of firm are to be found elsewhere in the Handbook. Schedule 1 to the Handbook is a consolidated schedule of these requirements.

01/12/2001
Future version of SYSC 3.2.22 after 01/04/2013

Export chapter as

SYSC 3A

Operational Risk: Systems and Controls

SYSC 3A.1

Application

31/12/2004

SYSC 3A.1.1

SYSC 3A applies to an insurer unless it is:

(1) a non-directive friendly society; or
(2) an incoming EEA firm; or
(3) an incoming Treaty firm.

31/12/2004

SYSC 3A.1.2

SYSC 3A applies to:

(1) an EEA-deposit insurer; and
(2) a Swiss general insurer;

only in respect of the activities of the firm carried on from a branch in the United Kingdom.

31/12/2004

SYSC 3A.2

Purpose

31/12/2004

SYSC 3A.2.1

This chapter provides guidance on how to interpret SYSC 3.1.1 R and SYSC 3.2.6 R, which deal with the establishment and maintenance of systems and controls, in relation to the management of operational risk. Operational risk has been described by the Basel Committee on Banking Supervision as "the risk of loss, resulting from inadequate or failed internal processes, people and systems, or from external events". This chapter covers systems and controls for managing risks concerning any of a firm's operations, such as its IT systems and outsourcing arrangements. It does not cover systems and controls for managing credit, market, liquidity and insurance risk.

31/12/2004

SYSC 3A.2.2

Operational risk is a concept that can have a different application for different firms. A firm should assess the appropriateness of the guidance in this chapter in the light of the scale, nature and complexity of its activities as well as its obligations as set out in Principle 3, to organise and control its affairs responsibly and effectively.

31/12/2004

SYSC 3A.2.3

A firm should take steps to understand the types of operational risk that are relevant to its particular circumstances, and the operational losses to which they expose the firm. This should include considering the potential sources of operational risk addressed in this chapter: people; processes and systems; external events.

31/12/2004

SYSC 3A.2.4

Operational risk can affect, amongst other things, a firm's solvency, or lead to unfair treatment of consumers or lead to financial crime. A firm should consider all operational risk events that may affect these matters in establishing and maintaining its systems and controls.

31/12/2004

SYSC 3A.3

Other related Handbook sections

31/12/2004

SYSC 3A.3.1

The following is a non-exhaustive list of rules and guidance in the Handbook that are relevant to a firm's management of operational risk:

(1) PRU 1.4 and PRU 6.1 contain specific rules and guidance for the establishment and maintenance of operational risk systems and controls in a prudential context.
(2) COB contains rules and guidance that can relate to the management of operational risk, for example, COB 2 (Rules which apply to all firms conducting designated investment business), COB 3 (Financial promotion), COB 5 (Advising and selling) and COB 7 (Dealing and managing).

31/12/2004

SYSC 3A.4

Requirements to notify the FSA

31/12/2004

SYSC 3A.4.1

Under Principle 11 and SUP 15.3.1 R a firm must notify the FSA immediately of any operational risk matter of which the FSA would reasonably expect notice. SUP 15.3.8 G provides guidance on the occurrences that this requirement covers, which include a significant failure in systems and controls and a significant operational loss.

31/12/2004

SYSC 3A.4.2

Regarding operational risk, matters of which the FSA would expect notice under Principle 11 include:

(1) any significant operational exposures that a firm has identified;
(2) the firm's invocation of a business continuity plan; and
(3) any other significant change to a firm's organisation, infrastructure or business operating environment.

31/12/2004

SYSC 3A.5

Risk management terms

31/12/2004

SYSC 3A.5.1

In this chapter, the following interpretations of risk management terms apply:

(1) a firm's risk culture encompasses the general awareness, attitude and behaviour of its employees and appointed representatives to risk and the management of risk within the organisation;
(2) operational exposure means the degree of operational risk faced by a firm and is usually expressed in terms of the likelihood and impact of a particular type of operational loss occurring (for example, fraud, damage to physical assets);
(3) a firm's operational risk profile describes the types of operational risks that it faces, including those operational risks within a firm that may have an adverse impact upon the quality of service afforded to its clients, and its exposure to these risks.

31/12/2004

SYSC 3A.6

People

31/12/2004

SYSC 3A.6.1

A firm should consult SYSC 3.2.2 G to SYSC 3.2.5 G for guidance on reporting lines and delegation of functions within a firm and SYSC 3.2.13 G to SYSC 3.2.14 G for guidance on the suitability of employees and appointed representatives. This section provides additional guidance on management of employees and other human resources in the context of operational risk.

31/12/2004

SYSC 3A.6.2

A firm should establish and maintain appropriate systems and controls for the management of operational risks that can arise from employees. In doing so, a firm should have regard to:

(1) its operational risk culture, and any variations in this or its human resource management practices, across its operations (including, for example, the extent to which the compliance culture is extended to in-house IT staff);
(2) whether the way employees are remunerated exposes the firm to the risk that it will not be able to meet its regulatory obligations (see SYSC 3.2.18 G). For example, a firm should consider how well remuneration and performance indicators reflect the firm's tolerance for operational risk, and the adequacy of these indicators for measuring performance;
(3) whether inadequate or inappropriate training of client-facing services exposes clients to risk of loss or unfair treatment including by not enabling effective communication with the firm;
(4) the extent of its compliance with applicable regulatory and other requirements that relate to the welfare and conduct of employees;
(5) its arrangements for the continuity of operations in the event of employee unavailability or loss;
(6) the relationship between indicators of 'people risk' (such as overtime, sickness, and employee turnover levels) and exposure to operational losses; and
(7) the relevance of all the above to employees of a third party supplier who are involved in performing an outsourcing arrangement. As necessary, a firm should review and consider the adequacy of the staffing arrangements and policies of a service provider.

31/12/2004

Employee Responsibilities

SYSC 3A.6.3

A firm should ensure that all employees are capable of performing, and aware of, their operational risk management responsibilities, including by establishing and maintaining:

(1) appropriate segregation of employees' duties and appropriate supervision of employees in the performance of their responsibilities (see SYSC 3.2.5 G);
(2) appropriate recruitment and subsequent processes to review the fitness and propriety of employees (see SYSC 3.2.13 G and SYSC 3.2.14 G);
(3) clear policy statements and appropriate systems and procedures manuals that are effectively communicated to employees and available for employees to refer to as required. These should cover, for example, compliance, IT security and health and safety issues;
(4) training processes that enable employees to attain and maintain appropriate competence; and
(5) appropriate and properly enforced disciplinary and employment termination policies and procedures.

31/12/2004

SYSC 3A.6.4

A firm should have regard to SYSC 3A.6.3 G in relation to approved persons, people occupying positions of high personal trust (for example, security administration, payment and settlement functions); and people occupying positions requiring significant technical competence (for example, derivatives trading and technical security administration). A firm should also consider the rules and guidance for approved persons in other parts of the Handbook (including APER and SUP) and the rules and guidance on senior manager responsibilities in SYSC 2.1 (Apportionment of Responsibilities).

31/12/2004

SYSC 3A.7

Processes and systems

31/12/2004

SYSC 3A.7.1

A firm should establish and maintain appropriate systems and controls for managing operational risks that can arise from inadequacies or failures in its processes and systems (and, as appropriate, the systems and processes of third party suppliers, agents and others). In doing so a firm should have regard to:

(1) the importance and complexity of processes and systems used in the end-to-end operating cycle for products and activities (for example, the level of integration of systems);
(2) controls that will help it to prevent system and process failures or identify them to permit prompt rectification (including pre-approval or reconciliation processes);
(3) whether the design and use of its processes and systems allow it to comply adequately with regulatory and other requirements;
(4) its arrangements for the continuity of operations in the event that a significant process or system becomes unavailable or is destroyed; and
(5) the importance of monitoring indicators of process or system risk (including reconciliation exceptions, compensation payments for client losses and documentation errors) and experience of operational losses and exposures.

31/12/2004

Internal documentation

SYSC 3A.7.2

Internal documentation may enhance understanding and aid continuity of operations, so a firm should ensure the adequacy of its internal documentation of processes and systems (including how documentation is developed, maintained and distributed) in managing operational risk.

31/12/2004

External documentation

SYSC 3A.7.3

A firm may use external documentation (including contracts, transaction statements or advertising brochures) to define or clarify terms and conditions for its products or activities, its business strategy (for example, including through press statements), or its brand. Inappropriate or inaccurate information in external documents can lead to significant operational exposure.

31/12/2004

SYSC 3A.7.4

A firm should ensure the adequacy of its processes and systems to review external documentation prior to issue (including review by its compliance, legal and marketing departments or by appropriately qualified external advisers). In doing so a firm should have regard to:

(1) compliance with applicable regulatory and other requirements (such as COB 3 (Financial promotion));
(2) the extent to which its documentation uses standard terms (that are widely recognised, and have been tested in the courts) or non-standard terms (whose meaning may not yet be settled or whose effectiveness may be uncertain);
(3) the manner in which its documentation is issued; and
(4) the extent to which confirmation of acceptance is required (including by customer signature or counterparty confirmation).

31/12/2004

IT systems

SYSC 3A.7.5

IT systems include the computer systems and infrastructure required for the automation of processes, such as application and operating system software; network infrastructure; and desktop, server, and mainframe hardware. Automation may reduce a firm's exposure to some 'people risks' (including by reducing human errors or controlling access rights to enable segregation of duties), but will increase its dependency on the reliability of its IT systems.

31/12/2004

SYSC 3A.7.6

A firm should establish and maintain appropriate systems and controls for the management of its IT system risks, having regard to:

(1) its organisation and reporting structure for technology operations (including the adequacy of senior management oversight);
(2) the extent to which technology requirements are addressed in its business strategy;
(3) the appropriateness of its systems acquisition, development and maintenance activities (including the allocation of responsibilities between IT development and operational areas, processes for embedding security requirements into systems); and
(4) the appropriateness of its activities supporting the operation of IT systems (including the allocation of responsibilities between business and technology areas).

31/12/2004

Information security

SYSC 3A.7.7

Failures in processing information (whether physical, electronic or known by employees but not recorded) or of the security of the systems that maintain it can lead to significant operational losses. A firm should establish and maintain appropriate systems and controls to manage its information security risks. In doing so a firm should have regard to:

(1) confidentiality: information should be accessible only to persons or systems with appropriate authority, which may require firewalls within a system, as well as entry restrictions;
(2) integrity: safeguarding the accuracy and completeness of information and its processing;
(3) availability and authentication: ensuring that appropriately authorised persons or systems have access to the information when required and that their identity is verified;
(4) non-repudiation and accountability: ensuring that the person or system that processed the information cannot deny their actions.

31/12/2004

SYSC 3A.7.8

A firm should ensure the adequacy of the systems and controls used to protect the processing and security of its information, and should have regard to established security standards such as ISO17799 (Information Security Management).

31/12/2004

Geographic location

SYSC 3A.7.9

Operating processes and systems at separate geographic locations may alter a firm's operational risk profile (including by allowing alternative sites for the continuity of operations). A firm should understand the effect of any differences in processes and systems at each of its locations, particularly if they are in different countries, having regard to:

(1) the business operating environment of each country (for example, the likelihood and impact of political disruptions or cultural differences on the provision of services);
(2) relevant local regulatory and other requirements regarding data protection and transfer;
(3) the extent to which local regulatory and other requirements may restrict its ability to meet regulatory obligations in the United Kingdom (for example, access to information by the FSA and local restrictions on internal or external audit); and
(4) the timeliness of information flows to and from its headquarters and whether the level of delegated authority and the risk management structures of the overseas operation are compatible with the firm's head office arrangements.

31/12/2004

SYSC 3A.8

External events and other changes

31/12/2004

SYSC 3A.8.1

The exposure of a firm to operational risk may increase during times of significant change to its organisation, infrastructure and business operating environment (for example, following a corporate restructure or changes in regulatory requirements). Before, during, and after expected changes, a firm should assess and monitor their effect on its risk profile, including with regard to:

(1) untrained or de-motivated employees or a significant loss of employees during the period of change, or subsequently;
(2) inadequate human resources or inexperienced employees carrying out routine business activities owing to the prioritisation of resources to the programme or project;
(3) process or system instability and poor management information due to failures in integration or increased demand; and
(4) inadequate or inappropriate processes following business re-engineering.

31/12/2004

SYSC 3A.8.2

A firm should establish and maintain appropriate systems and controls for the management of the risks involved in expected changes, such as by ensuring:

(1) the adequacy of its organisation and reporting structure for managing the change (including the adequacy of senior management oversight);
(2) the adequacy of the management processes and systems for managing the change (including planning, approval, implementation and review processes); and
(3) the adequacy of its strategy for communicating changes in systems and controls to its employees.

31/12/2004

Unexpected changes and business continuity management

SYSC 3A.8.3

SYSC 3.2.19 G provides high level guidance on business continuity. This section provides additional guidance on managing business continuity in the context of operational risk.

31/12/2004

SYSC 3A.8.4

The high level requirement for appropriate systems and controls at SYSC 3.1.1 R applies at all times, including when a business continuity plan is invoked. However, the FSA recognises that, in an emergency, a firm may be unable to comply with a particular rule and the conditions for relief are outlined in GEN 1.3 (Emergency).

31/12/2004

SYSC 3A.8.5

A firm should consider the likelihood and impact of a disruption to the continuity of its operations from unexpected events. This should include assessing the disruptions to which it is particularly susceptible (and the likely timescale of those disruptions) including through:

(1) loss or failure of internal and external resources (such as people, systems and other assets);
(2) the loss or corruption of its information; and
(3) external events (such as vandalism, war and "acts of God").

31/12/2004

SYSC 3A.8.6

A firm should implement appropriate arrangements to maintain the continuity of its operations. A firm should act to reduce both the likelihood of a disruption (including by succession planning, systems resilience and dual processing); and the impact of a disruption (including by contingency arrangements and insurance).

31/12/2004

SYSC 3A.8.7

A firm should document its strategy for maintaining continuity of its operations, and its plans for communicating and regularly testing the adequacy and effectiveness of this strategy. A firm should establish:

(1) formal business continuity plans that outline arrangements to reduce the impact of a short, medium or long-term disruption, including:

(a) resource requirements such as people, systems and other assets, and arrangements for obtaining these resources;
(b) the recovery priorities for the firm's operations; and
(c) communication arrangements for internal and external concerned parties (including the FSA, clients and the press);

(2) escalation and invocation plans that outline the processes for implementing the business continuity plans, together with relevant contact information;
(3) processes to validate the integrity of information affected by the disruption;
(4) processes to review and update (1) to (3) following changes to the firm's operations or risk profile (including changes identified through testing).

31/12/2004

SYSC 3A.8.8

The use of an alternative site for recovery of operations is common practice in business continuity management. A firm that uses an alternative site should assess the appropriateness of the site, particularly for location, speed of recovery and adequacy of resources. Where a site is shared, a firm should evaluate the risk of multiple calls on shared resources and adjust its plans accordingly.

31/12/2004

SYSC 3A.9

Outsourcing

31/12/2004

SYSC 3A.9.1

As SYSC 3.2.4 G explains, a firm cannot contract out its regulatory obligations and should take reasonable care to supervise the discharge of outsourcing functions. This section provides additional guidance on managing outsourcing arrangements (and will be relevant, to some extent, to other forms of third party dependency) in relation to operational risk. Outsourcing may affect a firm's exposure to operational risk through significant changes to, and reduced control over, people, processes and systems used in outsourced activities.

31/12/2004

SYSC 3A.9.2

Firms should take particular care to manage material outsourcing arrangements and, as SUP 15.3.8 G (1)(e) explains, a firm should notify the FSA when it intends to enter into a material outsourcing arrangement.

31/12/2004

SYSC 3A.9.3

A firm should not assume that because a service provider is either a regulated firm or an intra-group entity an outsourcing arrangement with that provider will, in itself, necessarily imply a reduction in operational risk.

31/12/2004

SYSC 3A.9.4

Before entering into, or significantly changing, an outsourcing arrangement, a firm should:

(1) analyse how the arrangement will fit with its organisation and reporting structure; business strategy; overall risk profile; and ability to meet its regulatory obligations;
(2) consider whether the agreements establishing the arrangement will allow it to monitor and control its operational risk exposure relating to the outsourcing;
(3) conduct appropriate due diligence of the service provider's financial stability and expertise;
(4) consider how it will ensure a smooth transition of its operations from its current arrangements to a new or changed outsourcing arrangement (including what will happen on the termination of the contract); and
(5) consider any concentration risk implications such as the business continuity implications that may arise if a single service provider is used by several firms.

31/12/2004

SYSC 3A.9.5

In negotiating its contract with a service provider, a firm should have regard to:

(1) reporting or notification requirements it may wish to impose on the service provider;
(2) whether sufficient access will be available to its internal auditors, external auditors or actuaries (see section 341 of the Act) and to the FSA (see SUP 2.3.5 R (Access to premises) and SUP 2.3.7 R (Suppliers under material outsourcing arrangements);
(3) information ownership rights, confidentiality agreements and Chinese walls to protect client and other information (including arrangements at the termination of the contract);
(4) the adequacy of any guarantees and indemnities;
(5) the extent to which the service provider must comply with the firm's policies and procedures (covering, for example, information security);
(6) the extent to which a service provider will provide business continuity for outsourcing operations, and whether exclusive access to its resources is agreed;
(7) the need for continued availability of software following difficulty at a third party supplier;
(8) the processes for making changes to the outsourcing arrangement (for example, changes in processing volumes, activities and other contractual terms) and the conditions under which the firm or service provider can choose to change or terminate the outsourcing arrangement, such as where there is:

(a) a change of ownership or control (including insolvency or receivership) of the service provider or firm;
(b) significant change in the business operations (including sub-contracting) of the service provider or firm; or
(c) inadequate provision of services that may lead to the firm being unable to meet its regulatory obligations.

31/12/2004

SYSC 3A.9.6

In implementing a relationship management framework, and drafting the service level agreement with the service provider, a firm should have regard to:

(1) the identification of qualitative and quantitative performance targets to assess the adequacy of service provision, to both the firm and its clients, where appropriate;
(2) the evaluation of performance through service delivery reports and periodic self certification or independent review by internal or external auditors; and
(3) remedial action and escalation processes for dealing with inadequate performance.

31/12/2004

SYSC 3A.9.7

In some circumstances, a firm may find it beneficial to use externally validated reports commissioned by the service provider, to seek comfort as to the adequacy and effectiveness of its systems and controls. The use of such reports does not absolve the firm of responsibility to maintain other oversight. In addition, the firm should not normally have to forfeit its right to access, for itself or its agents, to the service provider's premises.

31/12/2004

SYSC 3A.9.8

A firm should ensure that it has appropriate contingency arrangements to allow business continuity in the event of a significant loss of services from the service provider. Particular issues to consider include a significant loss of resources at, or financial failure of, the service provider, and unexpected termination of the outsourcing arrangement.

31/12/2004

SYSC 3A.10

Insurance

31/12/2004

SYSC 3A.10.1

Whilst a firm may take out insurance with the aim of reducing the monetary impact of operational risk events, non-monetary impacts may remain (including impact on the firm's reputation). A firm should not assume that insurance alone can replace robust systems and controls.

01/12/2001

SYSC 3A.10.2

When considering utilising insurance, a firm should consider:

(1) the time taken for the insurer to pay claims (including the potential time taken in disputing cover) and the firm's funding of operations whilst awaiting payment of claims;
(2) the financial strength of the insurer, which may determine its ability to pay claims, particularly where large or numerous small claims are made at the same time; and
(3) the effect of any limiting conditions and exclusion clauses that may restrict cover to a small number of specific operational losses and may exclude larger or hard to quantify indirect losses (such as lost business or reputational costs).

01/12/2001

Export chapter as

SYSC 4

Guidance on Public Interest Disclosure Act: Whistleblowing

SYSC 4.1

Application and purpose

01/12/2004
Future version of SYSC 4.1 after 01/01/2007

SYSC 4.1.1

This chapter is relevant to every firm to the extent that the Public Interest Disclosure Act 1998 ("PIDA") applies to it.

01/05/2002
Future version of SYSC 4.1.1 after 01/01/2007

Purpose

SYSC 4.1.2

(1) The purposes of this chapter are:

(a) to remind firms of the provisions of PIDA; and
(b) to encourage firms to consider adopting and communicating to workers appropriate internal procedures for handling workers' concerns as part of an effective risk management system.

(2) In this chapter "worker" includes, but is not limited to, an individual who has entered into a contract of employment.

01/05/2002
Future version of SYSC 4.1.2 after 01/01/2007

SYSC 4.1.3

The guidance in this chapter concerns the effect of PIDA in the context of the relationship between firms and the FSA. It is not comprehensive guidance on PIDA itself.

01/05/2002
Future version of SYSC 4.1.3 after 01/01/2007

SYSC 4.1.8A

An operator of an electronic system in relation to lending must take reasonable steps to ensure that arrangements are in place to ensure that P2P agreements facilitated by it will continue to be managed and administered, in accordance with the contract terms, if at any time it ceases to carry on the activity of operating an electronic system in relation to lending

01/05/2002

SYSC 4.2

Practical measures

01/12/2004
Future version of SYSC 4.2 after 01/01/2007

Effect of PIDA

SYSC 4.2.1

(1) Under PIDA, any clause or term in an agreement between a worker and his employer is void in so far as it purports to preclude the worker from making a protected disclosure (that is, "blow the whistle").
(2) In accordance with section 1 of PIDA:

(a) a protected disclosure is a qualifying disclosure which meets the relevant requirements set out in that section;
(b) a qualifying disclosure is a disclosure, made in good faith, of information which, in the reasonable belief of the worker making the disclosure, tends to show that one or more of the following (a "failure") has been, is being, or is likely to be, committed:

(i) a criminal offence; or
(ii) a failure to comply with any legal obligation; or
(iii) a miscarriage of justice; or
(iv) the putting of the health and safety of any individual in danger; or
(v) damage to the environment; or
(vi) deliberate concealment relating to any of (i) to (v);

it is immaterial whether the relevant failure occurred, occurs or would occur in the United Kingdom or elsewhere, and whether the law applying to it is that of the United Kingdom or of any other country or territory.

01/05/2002
Future version of SYSC 4.2.1 after 01/01/2007

Internal procedures

SYSC 4.2.2

(1) Firms are encouraged to consider adopting (and encouraged to invite their appointed representatives to consider adopting) appropriate internal procedures which will encourage workers with concerns to blow the whistle internally about matters which are relevant to the functions of the FSA.
(2) Smaller firms may choose not to have as extensive procedures in place as larger firms. For example, smaller firms may not need written procedures. The following is a list of things that larger and smaller firms may want to do.

(a) For larger firms, appropriate internal procedures may include:

(i) a clear statement that the firm takes failures seriously (see SYSC 4.2.1 G (2)(b));
(ii) an indication of what is regarded as a failure;
(iii) respect for the confidentiality of workers who raise concerns, if they wish this;
(iv) an assurance that, where a protected disclosure has been made, the firm will take all reasonable steps to ensure that no person under its control engages in victimisation;
(v) the opportunity to raise concerns outside the line management structure, such as with the Compliance Director, Internal Auditor or Company Secretary;
(vi) penalties for making false and malicious allegations;
(vii) an indication of the proper way in which concerns may be raised outside the firm if necessary (see (3);
(viii) providing access to an external body such as an independent charity for advice;
(ix) making whistleblowing procedures accessible to staff of key contractors; and
(x) written procedures.

(b) For smaller firms, appropriate internal procedures may include:

(i) telling workers that the firm takes failures seriously (see SYSC 4.2.1 G (2)(b)) and explaining how wrongdoing affects the organisation;
(ii) telling workers what conduct is regarded as failure;
(iii) telling workers who raise concerns that their confidentiality will be respected, if they wish this;
(iv) making it clear that concerned workers will be supported and protected from reprisals;
(v) nominating a senior officer as an alternative route to line management and telling workers how they can contact that individual in confidence;
(vi) making it clear that false and malicious allegations will be penalised by the firm;
(vii) telling workers how they can properly blow the whistle outside the firm if necessary (see (3);
(viii) providing access to an external body for advice such as an independent charity for advice; and
(ix) encouraging managers to be open to concerns.

(a) Firms should also consider telling workers (through the firm's internal procedures, or by means of an information sheet available from the FSA's website, or by some other means) that they can blow the whistle to the FSA, as the regulator prescribed in respect of financial services and markets matters under PIDA.
(b) The FSA will give priority to live concerns or matters of recent history, and will emphasise that the worker's first port of call should ordinarily be the firm (see Frequently Asked Questions on www.fsa.gov.uk/whistle/).
(c) For the FSA's treatment of confidential information, see SUP 2.2.4 G.

01/05/2002
Future version of SYSC 4.2.2 after 01/01/2007

Links to fitness and propriety

SYSC 4.2.3

The FSA would regard as a serious matter any evidence that a firm had acted to the detriment of a worker because he had made a protected disclosure (see SYSC 4.2.1 G (2) about matters which are relevant to the functions of the FSA. Such evidence could call into question the fitness and propriety of the firm or relevant members of its staff, and could therefore, if relevant, affect the firm's continuing satisfaction of threshold condition 5 (Suitability) or, for an approved person, his status as such.

01/05/2002
Future version of SYSC 4.2.3 after 01/01/2007

Export chapter as

SYSC App 1

Matters
reserved to a Home State regulator (see SYSC 1.1.1 R (1)(b) and SYSC 1.1.1
R (1)(c))

SYSC App 1.1

Matters reserved to a Home State regulator (see SYSC 1.1.1 R (1)(b) and SYSC 1.1.1 R (1)(c))

01/12/2004

SYSC App 1.1.1

The application of SYSC 2.1.3 R, SYSC 2.2.3 G and SYSC 3 to an incoming EEA firm or incoming Treaty firm depends on whether responsibility for the matter in question is reserved to the firm's Home State regulator. This appendix contains guidance designed to assist such firms in understanding the application of those provisions. This appendix is not concerned with the FSA's rights to take enforcement action against an incoming EEA firm or an incoming Treaty firm, which are covered in the Enforcement manual (ENF), or with the position of a firm with a top-up permission.

01/12/2001
Future version of SYSC App 1.1.1 after 28/08/2007

SYSC App 1.1.2

The Single Market Directives and the Treaty (as interpreted by the European Court of Justice) adopt broadly similar approaches to reserving responsibility to the Home State regulator. To summarise, the FSA, as Host State regulator, is entitled to impose requirements with respect to activities carried on within the United Kingdom if these can be justified in the interests of the "general good" and are imposed in a non-discriminatory way. This general proposition is subject to the following in relation to activities passported under the Single Market Directives:

(1) the Single Market Directives expressly reserve responsibility for the prudential supervision of an ISD investment firm, BCD credit institution, UCITS management company or passporting insurance undertaking to the firm's Home State regulator. The IMD reaches the same position without expressly referring to the concept of prudential supervision. Accordingly, the FSA, as Host State regulator, is entitled to regulate only the conduct of the firm's business within the United Kingdom;
(2) article 11 of the ISD sets out various rules of conduct which the FSA, as Host State regulator, is required to impose on an ISD investment firm (including a BCD credit institution which is an ISD investment firm) in relation to core investment services (and, where appropriate, to non-core investment services) provided within the United Kingdom;
(3) for a BCD credit institution, the FSA, as Host State regulator, is jointly responsible with the Home State regulator under article 27 of the Banking Consolidation Directive for supervision of the liquidity of a branch in the United Kingdom;
(4) for an ISD investment firm (including a BCD credit institution which is an ISD investment firm), the protection of clients' money and clients' assets is reserved to the Home State regulator under the ISD; and
(5) responsibility for participation in compensation schemes for BCD credit institutions and ISD investment firms is reserved in most cases to the Home State regulator under the Deposit Guarantee Directive and the Investor Compensation Directive.

13/01/2004
Future version of SYSC App 1.1.2 after 06/04/2007

SYSC App 1.1.3

It is necessary to refer to the case law of the European Court of Justice to interpret the concept of the "general good". To summarise, to satisfy the general good test, Host State rules must come within a field which has not been harmonised at a Community level, satisfy the general requirements that they pursue an objective of the general good, be non-discriminatory, be objectively necessary, be proportionate to the objective pursued and not already be safeguarded by rules to which the firm is subject in its Home State.

01/12/2001

SYSC App 1.1.4

The FSA considers that it is entitled, in the interests of the general good, to impose the requirements in SYSC 2.1.3 R to SYSC 2.2.3 G (in relation to the allocation of the function in SYSC 2.1.3 R (2)) and SYSC 3 on an incoming EEA firm and an incoming Treaty firm; but only in so far as they relate to those categories of matter responsibility for which is not reserved to the firm's Home State regulator.

01/12/2001

SYSC App 1.1.5

Should the FSA become aware of anything relating to an incoming EEA firm or incoming Treaty firm (whether or not relevant to a matter for which responsibility is reserved to the Home State regulator), the FSA may disclose it to the Home State regulator in accordance with any applicable directive and the applicable restrictions in Part XXIII of the Act (Public Record, Disclosure of Information and Co-operation).

01/12/2001

SYSC App 1.1.6

This appendix represents the FSA's views, but a firm is also advised to consult the relevant European Community instrument and, where necessary, seek legal advice. The views of the European Commission in the banking and insurance sectors are contained in two Commission Interpretative Communications (Nos. 97/C209/04 and C(1999)5046).

01/12/2001

SYSC App 1.1.7

AUTH 5 Annex 1 G summarises the application of the Handbook to an incoming EEA firm. That annex indicates in broad terms, and in relation to such firms, those categories of matter which are reserved to a Home State regulator and those which the FSA, as Host State regulator, is entitled to regulate when carried on within the United Kingdom.

01/12/2001
Future version of SYSC App 1.1.7 after 01/02/2006

SYSC App 1.1.8

Examples of how the FSA considers that SYSC 3 will apply in practice to an incoming EEA firm (see SYSC 1.1.4 R) are as follows:

(1) The Integrated Prudential Sourcebook (PRU) (with the exception of PRU 7.6.33 R on the payment of financial penalties) and the Interim Prudential sourcebook (insurers) (IPRU (INS)) (with the exception of rules 3.6 and 3.7)do not apply to an insurer which is an incoming EEA firm. Similarly, SYSC 3 does not require such a firm:

(a) to establish systems and controls in relation to financial resources (SYSC 3.1.1 R); or
(b) to establish systems and controls for compliance with that Interim Prudential sourcebook or PRU (SYSC 3.2.6 R); or
(c) to make and retain records in relation to financial resources (SYSC 3.2.20 R).

(2) The Conduct of Business sourcebook applies to an incoming EEA firm. Similarly, SYSC 3 does require such a firm:

(a) to establish systems and controls in relation to those aspects of the conduct of its business covered by applicable sections of COB (SYSC 3.1.1 R);
(b) to establish systems and controls for compliance with the applicable sections of COB (SYSC 3.2.6 R); and
(c) to make and retain records in relation to those aspects of the conduct of its business (SYSC 3.2.20 R).

31/12/2004
Future version of SYSC App 1.1.8 after 31/12/2006

SYSC App 1.1.9

See also Question 12 in SYSC 2.1.6 G for guidance on the application of SYSC 2.1.3 R (2).

01/12/2001

Export chapter as

Transitional Provisions and Schedules

SYSC TP 1

Transitional provisions

SYSC TP 1.1

There are no transitional provisions in SYSC. However, GEN contains some technical transitional provisions that apply throughout the Handbook and which are designed to ensure a smooth transition at commencement.

01/12/2004
Future version of SYSC TP 1 after 01/03/2006

SYSC Sch 1

Record keeping requirements

01/12/2004

SYSC Sch 1.1

The aim of the guidance in the following table is to give the reader a quick over-all view of the relevant record keeping requirements.

It is not a complete statement of those requirements and should not be relied on as if it were.

01/12/2004
Future version of SYSC Sch 1.1 after 01/04/2013

SYSC Sch 1.2

Handbook reference

Subject of record

Contents of record

When record must be made

Retention period

SYSC 2.2.1 R

Arrangements made to satisfy SYSC 2.1.1 R (apportionment) and SYSC 2.1.3 R (allocation)

Those arrangements

On making the arrangements and when they are updated

Six years from the date on which the record is superseded by a more up-to-date record

SYSC 3.2.20 R

Matters and dealings (including accounting records) which are the subject of requirements and standards under the regulatory system

Adequate

Adequate time

Adequate

01/12/2004
Future version of SYSC Sch 1.2 after 01/01/2007

SYSC Sch 2

Notification requirements

01/12/2004

SYSC Sch 2.1

There are no notification or reporting requirements in SYSC.

01/12/2004
Future version of SYSC Sch 2.1 after 01/04/2013

SYSC Sch 3

Fees and other required payments

01/12/2004

SYSC Sch 3.1

There are no requirement for fees or other payments in SYSC.

01/12/2004
Future version of SYSC Sch 3.1 after 01/04/2013

SYSC Sch 4

Powers exercised

01/12/2004

SYSC Sch 4.1

The following powers and related provisions in the Act have been exercised by the FSA to make the rules in SYSC:

Section 138 (General rule-making power)

Section 145 (Financial promotion rules)

Section 146 (Money laundering rules)

Section 150(2) (Actions for damages)

Section 156 (General supplementary powers)

01/12/2004
Future version of SYSC Sch 4.1 after 01/01/2010

SYSC Sch 5

Rights of action for damages

01/12/2004

SYSC Sch 5.1

The table below sets out the rules in SYSC contravention of which by an authorised person may be actionable under section 150 of the Act (Actions for damages) by a person who suffers loss as a result of the contravention.

01/12/2004

SYSC Sch 5.2

If a 'Yes' appears in the column headed 'For private person', the rule may be actionable by a 'private person' under section 150 (or, in certain circumstances, his fiduciary or representative; see article 6(2) and (3)(c) of the Financial Services and Markets Act 2000 (Rights of Action) Regulations 2001 (SI 2001 No 2256)). A 'Yes' in the column headed 'Removed' indicates that the FSA has removed the right of action under section 150(2) of the Act. If so, a reference to the rule in which it is removed is also given.

01/12/2004

SYSC Sch 5.3

The column headed 'For other person' indicates whether the rule may be actionable by a person other than a private person (or his fiduciary or representative) under article 6(2) and (3) of those Regulations. If so, an indication of the type of person by whom the rule may be actionable is given.

01/12/2004

SYSC Sch 5.4

Chapter/Appendix

Section/Annex

Paragraph

Right of action under section 150

For private person?

Removed?

For other person?

All rules in SYSC

Yes
SYSC 1.1.12 R

01/12/2004
Future version of SYSC Sch 5.4 after 01/01/2007

SYSC Sch 6

Rules that can be waived

01/12/2004

SYSC Sch 6.1

The rules in SYSC can be waived by the FSA under section 148 of the Act (Modification or waiver of rules).

01/12/2004
Future version of SYSC Sch 6.1 after 01/01/2007

Export chapter as

Our website uses cookies

SYSC Senior Management Arrangements, Systems and Controls sourcebook

Used in

Export part as

Application and purpose

Application of SYSC 2 and SYSC 3

Purpose of this section

Who?

What?

Where?

Actions for damages

Purpose

Senior management arrangements

Apportionment of Responsibilities

Allocation of functions

This table belongs to SYSC 2.1.3 R

Frequently asked questions about allocation of functions in SYSC 2.1.3 R

This table belongs to SYSC 2.1.5 G

Recording the apportionment

Systems and Controls

Systems and Controls

Areas covered by systems and controls

Introduction

Organisation

Compliance

Risk assessment

Management information

Employees and agents

Audit committee

Internal audit

Business strategy

Remuneration policies

Business continuity

Records

Operational Risk: Systems and Controls

Application

Purpose

Other related Handbook sections

Requirements to notify the FSA

Risk management terms

People

Employee Responsibilities

Processes and systems

Internal documentation

External documentation

IT systems

Information security

Geographic location

External events and other changes

Unexpected changes and business continuity management

Outsourcing

Insurance

Guidance on Public Interest Disclosure Act: Whistleblowing

Application and purpose

Purpose

Practical measures

Effect of PIDA

Internal procedures

Links to fitness and propriety

Mattersreserved to a Home State regulator (see SYSC 1.1.1 R (1)(b) and SYSC 1.1.1R (1)(c))

Matters reserved to a Home State regulator (see SYSC 1.1.1 R (1)(b) and SYSC 1.1.1 R (1)(c))

Transitional Provisions and Schedules

Transitional provisions

Record keeping requirements

Notification requirements

Fees and other required payments

Powers exercised

Rights of action for damages

Rules that can be waived

Matters
reserved to a Home State regulator (see SYSC 1.1.1 R (1)(b) and SYSC 1.1.1
R (1)(c))