SYSC Senior Management Arrangements, Systems and Controls sourcebook

Export part as

SYSC 1

Application and purpose

SYSC 1.1

Application of SYSC 2 and SYSC 3

Purpose of this section

SYSC 1.1.-2

See Notes

handbook-guidance
This section sets out the application of SYSC 2 Senior management arrangements and SYSC 3 Systems and controls.

SYSC 1.1.-1

See Notes

handbook-guidance
The application of SYSC 3A (Operational Risk: Systems and Controls) is set out in SYSC 3A.1.1 G and SYSC 3A.1.2 G. The application of SYSC 4 (Guidance on Public Interest Disclosure Act: Whistleblowing) is set out in SYSC 4.1.1 R Application.

Who?

SYSC 1.1.1

See Notes

handbook-rule

SYSC 2 and SYSC 3 apply to every firm except that:

  1. (1) for an incoming EEA firm or an incoming Treaty firm:
    1. (a) SYSC 2.1.1 R and SYSC 2.1.2 G do not apply;
    2. (b) SYSC 2.1.3 R to SYSC 2.2.3 G apply, but only in relation to allocation of the function in SYSC 2.1.3 R (2) and only in so far as responsibility for the matter in question is not reserved by a European Community instrument to the firm's Home State regulator; and
    3. (c) SYSC 3 applies, but only in so far as responsibility for the matter in question is not reserved by a European Community instrument to the firm's Home State regulator;
  2. (2) for an incoming EEA firm which has permission only for cross border services and which does not carry on regulated activities in the United Kingdom, SYSC 2 and SYSC 3 do not apply;
  3. (2A) for an incoming Treaty firm which has permission only for cross border services and which does not carry on regulated activities in the United Kingdom, SYSC 3.2.6A R to SYSC 3.2.6J G do not apply;
  4. (3) for a sole trader:
    1. (a) SYSC 2 does not apply as long as he does not employ any person who is required to be approved under section 59 of the Act (Approval for particular arrangements);
    2. (b) SYSC 3.2.6I R does not apply if he has no employees;
  5. (4) for a UCITS qualifier:
    1. (a) SYSC 2.1.1 R and SYSC 2.1.2 G do not apply;
    2. (b) SYSC 2.1.3 R to SYSC 2.2.3 G apply, but only in relation to allocation of the function in SYSC 2.1.3 R (2) and only with respect to the activities in SYSC 1.1.4 R;
    3. (c) SYSC 3 applies, but only with respect to the activities in SYSC 1.1.4 R; and
  6. (5) for an authorised professional firm when carrying on non-mainstream regulated activities, SYSC 3.2.6A R to SYSC 3.2.6J G do not apply.

SYSC 1.1.2

See Notes

handbook-guidance
  1. (1) Question 12 in SYSC 2.1.6 G and SYSC App 1 contain guidance on SYSC 1.1.1 R (1)(b) and (c).
  2. (2) SYSC 1.1.7 R and SYSC 1.1.10 R further restrict the territorial application of SYSC 2 and SYSC 3 for an incoming EEA firm, incoming Treaty firm or UCITS qualifier.
  3. (3) SYSC 1.1.1 R (4) puts incoming EEA firm on an equal footing with unauthorised overseas persons who utilise the overseas persons exclusions in article 72 of the Regulated Activities Order.

What?

SYSC 1.1.3

See Notes

handbook-rule

SYSC 2 and SYSC 3 apply with respect to the carrying on of:

  1. (1) regulated activities;
  2. (2) activities that constitute dealing in investments as principal, disregarding the exclusion in article 15 of the Regulated Activities Order (Absence of holding out etc); and
  3. (3) ancillary activities in relation to designated investment business, home finance activity and insurance mediation activity;

except that SYSC 3.2.6A R to SYSC 3.2.6J G do not apply as described in SYSC 1.1.3A R.

SYSC 1.1.3A

See Notes

handbook-rule

SYSC 3.2.6A R to SYSC 3.2.6J G do not apply:

  1. (1) with respect to the activities described in SYSC 1.1.3 R (2) and (3); or
  2. (2) in relation to the following regulated activities:
    1. (a) general insurance business;
    2. (b) insurance mediation activity in relation to a general insurance contract or pure protection contract;
    3. (c) long-term insurance business which is outside the Consolidated Life Directive (unless it is otherwise one of the regulated activities specified in this rule);
    4. (d) business relating to contracts which are within the Regulated Activities Order only because they fall within paragraph (e) of the definition of "contract of insurance" in article 3 of that Order;
    5. (e)
      1. (i) arranging, by the Society of Lloyd's, of deals in general insurance contracts written at Lloyd's; and
      2. (ii) managing the underwriting capacity of a Lloyd's syndicate as a managing agent at Lloyd's; and
      3. (f) mortgage mediation activity and administering a regulated mortgage contract

SYSC 1.1.4

See Notes

handbook-rule

SYSC 2 and SYSC 3, except SYSC 3.2.6A R to SYSC 3.2.6J G, also apply with respect to the communication and approval of financial promotions which:

  1. (1) if communicated by an unauthorised person without approval would contravene section 21(1) of the Act (Restrictions on financial promotion); and
  2. (2) may be communicated by a firm without contravening section 238(1) of the Act (Restrictions on promotion of collective investment schemes).

SYSC 1.1.5

See Notes

handbook-rule

SYSC 2 and SYSC 3, except SYSC 3.2.6A R to SYSC 3.2.6J G, also:

  1. (1) apply with respect to the carrying on of unregulated activities in a prudential context; and
  2. (2) take into account any activity of other members of a group of which the firm is a member.

SYSC 1.1.6

See Notes

handbook-guidance
SYSC 1.1.5 R (2) does not mean that inadequacy of a group member's systems and controls will automatically lead to a firm contravening, for example, SYSC 3.1.1 R. Rather, the potential impact of a group member's activities, including its systems and controls, and any systems and controls that operate on a group basis, will be relevant in determining the appropriateness of the firm's own systems and controls.

Where?

SYSC 1.1.7

See Notes

handbook-rule
SYSC 2 and SYSC 3 apply with respect to activities carried on from an establishment maintained by the firm (or its appointed representative) in the United Kingdom unless another applicable rule which is relevant to the activity has a wider territorial scope, in which case SYSC 2 and SYSC 3 apply with that wider scope in relation to the activity described in that rule.

SYSC 1.1.8

See Notes

handbook-guidance
An example of the type of rule referred to in SYSC 1.1.7 R with a different territorial scope is the rules in CASS 2 (Custody). CASS 2 applies, for certain UK firms, to activities carried on from branches in other EEA States as well as UK establishments (CASS 1.3.3 R (General application where?)). Therefore SYSC 2 and SYSC 3 apply to the custody activities described in CASS 2 carried on from such a branch by such a UK firm. The UK firm must, for example, take reasonable care to establish systems and controls under SYSC 3.1.1 R as are appropriate to those activities carried on from its EEA branches as well as from its UK establishments.

SYSC 1.1.9

See Notes

handbook-rule
SYSC 2 and SYSC 3, except SYSC 3.2.6A R to SYSC 3.2.6J G, also apply in a prudential context to a UK domestic firm with respect to activities wherever they are carried on.

SYSC 1.1.10

See Notes

handbook-rule
SYSC 3, except SYSC 3.2.6A R to SYSC 3.2.6J G, also applies in a prudential context to an overseas firm (other than an incoming EEA firm, incoming Treaty firm or UCITS qualifier) with respect to activities wherever they are carried on.

SYSC 1.1.11

See Notes

handbook-guidance
  1. (1) In considering whether to take regulatory action under SYSC 2 or SYSC 3 in relation to activities carried on outside the United Kingdom, the FSA will take into account the standards expected in the market in which the firm is operating.
  2. (2) Most of the rules in SYSC 3 are linked to other requirements and standards under the regulatory system which have their own territorial limitations so that those SYSC rules are similarly limited in scope.

SYSC 1.1.11A

See Notes

handbook-guidance
ECO 1.1.6 R has the effect that SYSC does not apply to an incoming ECA provider acting as such.

Actions for damages

SYSC 1.1.12

See Notes

handbook-rule
A contravention of the rules in SYSC 2 and SYSC 3 does not give rise to a right of action by a private person under section 150 of the Act (and each of those rules is specified under section 150(2) of the Act as a provision giving rise to no such right of action).

SYSC 1.2

Purpose

SYSC 1.2.1

See Notes

handbook-guidance

The purposes of SYSC are:

  1. (1) to encourage firms' directors and senior managers to take appropriate practical responsibility for their firms' arrangements on matters likely to be of interest to the FSA because they impinge on the FSA's functions under the Act;
  2. (2) to increase certainty by amplifying Principle 3, under which a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems; and
  3. (3) to encourage firms to vest responsibility for effective and responsible organisation in specific directors and senior managers.

SYSC 1.2.2

See Notes

handbook-guidance
The main matters, referred to in SYSC 1.2.1 G (1), which are likely to be of interest to the FSA are those which relate to confidence in the financial system; to the fair treatment of firms' customers; to the protection of consumers; and to the use of the financial system in connection with financial crime. The FSA is not primarily concerned with risks which threaten only the owners of a financial business except in so far as these risks may have an impact on those matters.

SYSC 2

Senior management arrangements

SYSC 2.1

Apportionment of Responsibilities

SYSC 2.1.1

See Notes

handbook-rule

A firm must take reasonable care to maintain a clear and appropriate apportionment of significant responsibilities among its directors and senior managers in such a way that:

  1. (1) it is clear who has which of those responsibilities; and
  2. (2) the business and affairs of the firm can be adequately monitored and controlled by the directors, relevant senior managers and governing body of the firm.

SYSC 2.1.2

See Notes

handbook-guidance
The role undertaken by a non-executive director will vary from one firm to another. For example, the role of a non-executive director in a friendly society may be more extensive than in other firms. Where a non-executive director is an approved person, for example where the firm is a body corporate, his responsibility and therefore liability will be limited by the role that he undertakes. Provided that he has personally taken due care in his role, a non-executive director would not be held discipliniarily liable either for the failings of the firm or for those of individuals within the firm. The non-executive director function, for the purposes of the approved persons regime, is described in SUP 10.

SYSC 2.1.3

See Notes

handbook-rule

A firm must appropriately allocate to one or more individuals, in accordance with SYSC 2.1.4 R, the functions of:

  1. (1) dealing with the apportionment of responsibilities under SYSC 2.1.1 R; and
  2. (2) overseeing the establishment and maintenance of systems and controls under SYSC 3.1.1 R.

SYSC 2.1.4

See Notes

handbook-rule

Allocation of functions

This table belongs to SYSC 2.1.3 R

SYSC 2.1.5

See Notes

handbook-guidance
SYSC 2.1.3 R and SYSC 2.1.4 R give a firm some flexibility in the individuals to whom the functions may be allocated. It will be common for both the functions to be allocated solely to the firm's chief executive. SYSC 2.1.6 G contains further guidance on the requirements of SYSC 2.1.3 R and SYSC 2.1.4 R in a question and answer form.

SYSC 2.1.6

See Notes

handbook-guidance

Frequently asked questions about allocation of functions in SYSC 2.1.3 R

This table belongs to SYSC 2.1.5 G

SYSC 2.2

Recording the apportionment

SYSC 2.2.1

See Notes

handbook-rule
  1. (1) A firm must make a record of the arrangements it has made to satisfy SYSC 2.1.1 R (apportionment) and SYSC 2.1.3 R (allocation) and take reasonable care to keep this up to date.
  2. (2) This record must be retained for six years from the date on which it was superseded by a more up-to-date record.

SYSC 2.2.2

See Notes

handbook-guidance
  1. (1) A firm will be able to comply with SYSC 2.2.1 R by means of records which it keeps for its own purposes provided these records satisfy the requirements of SYSC 2.2.1 R and provided the firm takes reasonable care to keep them up to date. Appropriate records might, for this purpose, include organisational charts and diagrams, project management documents, job descriptions, committee constitutions and terms of reference provided they show a clear description of the firm's major functions.
  2. (2) Firms should record any material change to the arrangements described in SYSC 2.2.1 R as soon as reasonably practicable after that change has been made.

SYSC 2.2.3

See Notes

handbook-guidance
Where responsibilities have been allocated to more than one individual, the firm's record should show clearly how those responsibilities are shared or divided between the individuals concerned.

SYSC 3

Systems and Controls

SYSC 3.1

Systems and Controls

SYSC 3.1.1

See Notes

handbook-rule
A firm must take reasonable care to establish and maintain such systems and controls as are appropriate to its business.

SYSC 3.1.2

See Notes

handbook-guidance
  1. (1) The nature and extent of the systems and controls which a firm will need to maintain under SYSC 3.1.1 R will depend upon a variety of factors including:
    1. (a) the nature, scale and complexity of its business;
    2. (b) the diversity of its operations, including geographical diversity;
    3. (c) the volume and size of its transactions; and
    4. (d) the degree of risk associated with each area of its operation.
  2. (2) To enable it to comply with its obligation to maintain appropriate systems and controls, a firm should carry out a regular review of them.
  3. (3) The areas typically covered by the systems and controls referred to in SYSC 3.1.1 R are those identified in SYSC 3.2. Detailed requirements regarding systems and controls relevant to particular business areas or particular types of firm are covered elsewhere in the Handbook.

SYSC 3.1.3

See Notes

handbook-guidance
Where the Combined Code developed by the Committee on Corporate Governance is relevant to a firm, the FSA, in considering whether the firm's obligations under SYSC 3.1.1 R have been met, will give it due credit for following corresponding provisions in the Code and related guidance.

SYSC 3.1.4

See Notes

handbook-guidance
A firm has specific responsibilities regarding its appointed representatives (see SUP 12).

SYSC 3.1.5

See Notes

handbook-guidance
SYSC 2.1.3 R (2) prescribes how a firm must allocate the function of overseeing the establishment and maintenance of systems and controls described in SYSC 3.1.1 R.

SYSC 3.2

Areas covered by systems and controls

Introduction

SYSC 3.2.1

See Notes

handbook-guidance
This section covers some of the main issues which a firm is expected to consider in establishing and maintaining the systems and controls appropriate to its business, as required by SYSC 3.1.1 R.

Organisation

SYSC 3.2.2

See Notes

handbook-guidance
A firm's reporting lines should be clear and appropriate having regard to the nature, scale and complexity of its business. These reporting lines, together with clear management responsibilities, should be communicated as appropriate within the firm.

SYSC 3.2.3

See Notes

handbook-guidance
  1. (1) A firm's governing body is likely to delegate many functions and tasks for the purpose of carrying out its business. When functions or tasks are delegated, either to employees or to appointed representatives, appropriate safeguards should be put in place.
  2. (2) When there is delegation, a firm should assess whether the recipient is suitable to carry out the delegated function or task, taking into account the degree of responsibility involved.
  3. (3) The extent and limits of any delegation should be made clear to those concerned.
  4. (4) There should be arrangements to supervise delegation, and to monitor the discharge of delegates functions or tasks.
  5. (5) If cause for concern arises through supervision and monitoring or otherwise, there should be appropriate follow-up action at an appropriate level of seniority within the firm.

SYSC 3.2.4

See Notes

handbook-guidance
  1. (1) The guidance relevant to delegation within the firm is also relevant to external delegation ('outsourcing'). A firm cannot contract out its regulatory obligations. So, for example, under Principle 3 a firm should take reasonable care to supervise the discharge of outsourced functions by its contractor.
  2. (2) A firm should take steps to obtain sufficient information from its contractor to enable it to assess the impact of outsourcing on its systems and controls.

SYSC 3.2.5

See Notes

handbook-guidance
Where it is made possible and appropriate by the nature, scale and complexity of its business, a firm should segregate the duties of individuals and departments in such a way as to reduce opportunities for financial crime or contravention of requirements and standards under the regulatory system. For example, the duties of front-office and back-office staff should be segregated so as to prevent a single individual initiating, processing and controlling transactions.

Systems and controls in relation to compliance, financial crime and money laundering

SYSC 3.2.6

See Notes

handbook-rule
A firm must take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that the firm might be used to further financial crime.

SYSC 3.2.6A

See Notes

handbook-rule

A firm must ensure that these systems and controls:

  1. (1) enable it to identify, assess, monitor and manage money laundering risk; and
  2. (2) are comprehensive and proportionate to the nature, scale and complexity of its activities.

SYSC 3.2.6B

See Notes

handbook-guidance
"Money laundering risk" is the risk that a firm may be used to further money laundering. Failure by a firm to manage this risk effectively will increase the risk to society of crime and terrorism.

SYSC 3.2.6C

See Notes

handbook-rule
A firm must carry out regular assessments of the adequacy of these systems and controls to ensure that it continues to comply with SYSC 3.2.6A R.

SYSC 3.2.6D

See Notes

handbook-guidance
A firm may also have separate obligations to comply with relevant legal requirements, including the Terrorism Act 2000, the Proceeds of Crime Act 2002 and the Money Laundering Regulations. SYSC 3.2.6 R to SYSC 3.2.6J G are not relevant for the purposes of regulation 3(3)of the Money Laundering Regulations, section 330(8) of the Proceeds of Crime Act 2002 or section 21A(6) of the Terrorism Act 2000.

SYSC 3.2.6E

See Notes

handbook-guidance
The FSA, when considering whether a breach of its rules on systems and controls against money laundering has occurred, will have regard to whether a firm has followed relevant provisions in the guidance for the UK financial sector issued by the Joint Money Laundering Steering Group.

SYSC 3.2.6F

See Notes

handbook-guidance

In identifying its money laundering risk and in establishing the nature of these systems and controls, a firm should consider a range of factors, including:

  1. (1) its customer, product and activity profiles;
  2. (2) its distribution channels;
  3. (3) the complexity and volume of its transactions;
  4. (4) its processes and systems; and
  5. (5) its operating environment.

SYSC 3.2.6G

See Notes

handbook-guidance

A firm should ensure that the systems and controls include:

  1. (1) appropriate training for its employees in relation to money laundering;
  2. (2) appropriate provision of information to its governing body and senior management, including a report at least annually by that firm's money laundering reporting officer (MLRO) on the operation and effectiveness of those systems and controls;
  3. (3) appropriate documentation of its risk management policies and risk profile in relation to money laundering, including documentation of its application of those policies (see SYSC 3.2.20 R to SYSC 3.2.22 G);
  4. (4) appropriate measures to ensure that money laundering risk is taken into account in its day-to-day operation, including in relation to:
    1. (a) the development of new products;
    2. (b) the taking-on of new customers; and
    3. (c) changes in its business profile; and
  5. (5) appropriate measures to ensure that procedures for identification of new customers do not unreasonably deny access to its services to potential customers who cannot reasonably be expected to produce detailed evidence of identity.

SYSC 3.2.6H

See Notes

handbook-rule
A firm must allocate to a director or senior manager (who may also be the money laundering reporting officer) overall responsibility within the firm for the establishment and maintenance of effective anti-money laundering systems and controls.

The money laundering reporting officer

SYSC 3.2.6I

See Notes

handbook-rule

A firm must:

  1. (1) appoint an individual as MLRO, with responsibility for oversight of its compliance with the FSA's rules on systems and controls against money laundering; and
  2. (2) ensure that its MLRO has a level of authority and independence within the firm and access to resources and information sufficient to enable him to carry out that responsibility.

SYSC 3.2.6J

See Notes

handbook-guidance
The job of the MLRO within a firm is to act as the focal point for all activity within the firm relating to anti-money laundering. The FSA expects that a firm's MLRO will be based in the United Kingdom.

The compliance function

SYSC 3.2.7

See Notes

handbook-guidance
  1. (1) Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to have a separate compliance function. The organisation and responsibilities of a compliance function should be documented. A compliance function should be staffed by an appropriate number of competent staff who are sufficiently independent to perform their duties objectively. It should be adequately resourced and should have unrestricted access to the firm's relevant records as well as ultimate recourse to its governing body.
  2. (2) [deleted]
  3. (3) [deleted]

SYSC 3.2.8

See Notes

handbook-rule
  1. (1) A firm which carries on designated investment business with or for customers must allocate to a director or senior manager the function of:
    1. (a) having responsibility for oversight of the firm's compliance; and
    2. (b) reporting to the governing body in respect of that responsibility.
  2. (2) In SYSC 3.2.8 R (1) (1) "compliance" means compliance with the rules in:
    1. (a) COB COBS (Conduct of Business);
    2. (b) COLL (New Collective Investment Schemes) and CIS (Collective Investment Schemes) sourcebook); and
    3. (c) CASS (Client Assets)

SYSC 3.2.9

See Notes

handbook-guidance
  1. (1) SUP 10.7.8 R uses SYSC 3.2.8 R to describe the controlled function, known as the compliance oversight function, of acting in the capacity of a director or senior manager to whom this function is allocated.
  2. (2) The rules referred to in SYSC 3.2.8 R (2) are the minimum area of focus for the firm's compliance oversight function. A firm is free to give additional responsibilities to a person performing this function if it wishes.

Risk assessment

SYSC 3.2.10

See Notes

handbook-guidance
  1. (1) Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to have a separate risk assessment function responsible for assessing the risks that the firm faces and advising the governing body and senior managers on them.
  2. (2) The organisation and responsibilities of a risk assessment function should be documented. The function should be adequately resourced and staffed by an appropriate number of competent staff who are sufficiently independent to perform their duties objectively.
  3. (3) The term 'risk assessment function' refers to the generally understood concept of risk assessment within a firm, that is, the function of setting and controlling risk exposure. The risk assessment function is not a controlled function itself, but is part of the systems and controls function (CF28).

Management information

SYSC 3.2.11

See Notes

handbook-guidance
  1. (1) A firm's arrangements should be such as to furnish its governing body with the information it needs to play its part in identifying, measuring, managing and controlling risks of regulatory concern. Three factors will be the relevance, reliability and timeliness of that information.
  2. (2) Risks of regulatory concern are those risks which relate to the fair treatment of the firm's customers, to the protection of consumers, to confidence in the financial system, and to the use of that system in connection with financial crime.

SYSC 3.2.12

See Notes

handbook-guidance
It is the responsibility of the firm to decide what information is required, when, and for whom, so that it can organise and control its activities and can comply with its regulatory obligations. The detail and extent of information required will depend on the nature, scale and complexity of the business.

Employees and agents

SYSC 3.2.13

See Notes

handbook-guidance
A firm's systems and controls should enable it to satisfy itself of the suitability of anyone who acts for it.

SYSC 3.2.14

See Notes

handbook-guidance
  1. (1) SYSC 3.2.13 G includes assessing an individual's honesty, and competence. This assessment should normally be made at the point of recruitment. An individual's honesty need not normally be revisited unless something happens to make a fresh look appropriate.
  2. (2) Any assessment of an individual's suitability should take into account the level of responsibility that the individual will assume within the firm. The nature of this assessment will generally differ depending upon whether it takes place at the start of the individual's recruitment, at the end of the probationary period (if there is one) or subsequently.
  3. (3) The FSA's detailed requirements on firms with respect to the competence of individuals are in the Training and Competence sourcebook (TC).[deleted]
  4. (4) The requirements on firms with respect to approved persons are in Part V of the Act (Performance of regulated activities) and SUP 10.

Audit committee

SYSC 3.2.15

See Notes

handbook-guidance
Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to form an audit committee. An audit committee could typically examine management's process for ensuring the appropriateness and effectiveness of systems and controls, examine the arrangements made by management to ensure compliance with requirements and standards under the regulatory system, oversee the functioning of the internal audit function (if applicable - see SYSC 3.2.16 G) and provide an interface between management and the external auditors. It should have an appropriate number of non-executive directors and it should have formal terms of reference.

Internal audit

SYSC 3.2.16

See Notes

handbook-guidance

Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to delegate much of the task of monitoring the appropriateness and effectiveness of its systems and controls to an internal audit function. An internal audit function should have clear responsibilities and reporting lines to an audit committee or appropriate senior manager, be adequately resourced and staffed by competent individuals, be independent of the day-to-day activities of the firm and have appropriate access to a firm's records.

  1. (1) Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to delegate much of the task of monitoring the appropriateness and effectiveness of its systems and controls to an internal audit function. An internal audit function should have clear responsibilities and reporting lines to an audit committee or appropriate senior manager, be adequately resourced and staffed by competent individuals, be independent of the day-to-day activities of the firm and have appropriate access to a firm's records.
  2. (2) The term 'internal audit function' refers to the generally understood concept of internal audit within a firm, that is, the function of assessing adherence to and the effectiveness of internal systems and controls, procedures and policies. The internal audit function is not a controlled function itself, but is part of the systems and controls function (CF28).

Business strategy

SYSC 3.2.17

See Notes

handbook-guidance

A firm should plan its business appropriately so that it is able to identify, measure, manage and control risks of regulatory concern (see SYSC 3.2.11 G (2)). In some firms, depending on the nature, scale and complexity of their business, it may be appropriate to have business plans or strategy plans documented and updated on a regular basis to take account of changes in the business environment.

Remuneration policies

SYSC 3.2.18

See Notes

handbook-guidance

It is possible that firms' remuneration policies will from time to time lead to tensions between the ability of the firm to meet the requirements and standards under the regulatory system and the personal advantage of those who act for it. Where tensions exist, these should be appropriately managed.

Business continuity

SYSC 3.2.19

See Notes

handbook-guidance

A firm should have in place appropriate arrangements, having regard to the nature, scale and complexity of its business, to ensure that it can continue to function and meet its regulatory obligations in the event of an unforeseen interruption. These arrangements should be regularly updated and tested to ensure their effectiveness.

Records

SYSC 3.2.20

See Notes

handbook-rule
  1. (1) A firm must take reasonable care to make and retain adequate records of matters and dealings (including accounting records) which are the subject of requirements and standards under the regulatory system.
  2. (2) Subject to (3) and to any other record-keeping rule in the Handbook, the records required by (1) or by such other rule must be capable of being reproduced in the English language on paper.
  3. (3) If a firm's records relate to business carried on from an establishment in a country or territory outside the United Kingdom, an official language of that country or territory may be used instead of the English language as required by (2).

SYSC 3.2.21

See Notes

handbook-guidance

A firm should have appropriate systems and controls in place to fulfil the firm's regulatory and statutory obligations with respect to adequacy, access, periods of retention and security of records. The general principle is that records should be retained for as long as is relevant for the purposes for which they are made.

SYSC 3.2.22

See Notes

handbook-guidance

Detailed record-keeping requirements for different types of firm are to be found elsewhere in the Handbook. Schedule 1 to the Handbook is a consolidated schedule of these requirements.

SYSC 3A

Operational Risk: Systems and Controls

SYSC 3A.1

Application

SYSC 3A.1.1

See Notes

handbook-guidance

SYSC 3A applies to an insurer unless it is:

  1. (1) a non-directive friendly society; or
  2. (2) an incoming EEA firm; or
  3. (3) an incoming Treaty firm.

SYSC 3A.1.1A

See Notes

handbook-guidance

SYSC 3A applies to a UK ISPV.

SYSC 3A.1.2

See Notes

handbook-guidance

SYSC 3A applies to:

  1. (1) an EEA-deposit insurer; and
  2. (2) a Swiss general insurer;

only in respect of the activities of the firm carried on from a branch in the United Kingdom.

SYSC 3A.2

Purpose

SYSC 3A.2.1

See Notes

handbook-guidance

This chapter provides guidance on how to interpret SYSC 3.1.1 R and SYSC 3.2.6 R, which deal with the establishment and maintenance of systems and controls, in relation to the management of operational risk. Operational risk has been described by the Basel Committee on Banking Supervision as "the risk of loss, resulting from inadequate or failed internal processes, people and systems, or from external events". This chapter covers systems and controls for managing risks concerning any of a firm's operations, such as its IT systems and outsourcing arrangements. It does not cover systems and controls for managing credit, market, liquidity and insurance risk.

SYSC 3A.2.2

See Notes

handbook-guidance

Operational risk is a concept that can have a different application for different firms. A firm should assess the appropriateness of the guidance in this chapter in the light of the scale, nature and complexity of its activities as well as its obligations as set out in Principle 3, to organise and control its affairs responsibly and effectively.

SYSC 3A.2.3

See Notes

handbook-guidance

A firm should take steps to understand the types of operational risk that are relevant to its particular circumstances, and the operational losses to which they expose the firm. This should include considering the potential sources of operational risk addressed in this chapter: people; processes and systems; external events.

SYSC 3A.2.4

See Notes

handbook-guidance

Operational risk can affect, amongst other things, a firm's solvency, or lead to unfair treatment of consumers or lead to financial crime. A firm should consider all operational risk events that may affect these matters in establishing and maintaining its systems and controls.

SYSC 3A.3

Other related Handbook sections

SYSC 3A.3.1

See Notes

handbook-guidance

The following is a non-exhaustive list of rules and guidance in the Handbook that are relevant to a firm's management of operational risk:

  1. (1) PRU 1.4 and PRU 6.1 contain specific rules and guidance for the establishment and maintenance of operational risk systems and controls in a prudential context.
  2. (2) COB contains rules and guidance that can relate to the management of operational risk, for example, COB 2 (Rules which apply to all firms conducting designated investment business), COB 3 (Financial promotion), COB 5 (Advising and selling) and COB 7 (Dealing and managing).

SYSC 3A.4

Requirements to notify the FSA

SYSC 3A.4.1

See Notes

handbook-guidance

Under Principle 11 and SUP 15.3.1 R a firm must notify the FSA immediately of any operational risk matter of which the FSA would reasonably expect notice. SUP 15.3.8 G provides guidance on the occurrences that this requirement covers, which include a significant failure in systems and controls and a significant operational loss.

SYSC 3A.4.2

See Notes

handbook-guidance

Regarding operational risk, matters of which the FSA would expect notice under Principle 11 include:

  1. (1) any significant operational exposures that a firm has identified;
  2. (2) the firm's invocation of a business continuity plan; and
  3. (3) any other significant change to a firm's organisation, infrastructure or business operating environment.

SYSC 3A.5

Risk management terms

SYSC 3A.5.1

See Notes

handbook-guidance

In this chapter, the following interpretations of risk management terms apply:

  1. (1) a firm's risk culture encompasses the general awareness, attitude and behaviour of its employees and appointed representatives to risk and the management of risk within the organisation;
  2. (2) operational exposure means the degree of operational risk faced by a firm and is usually expressed in terms of the likelihood and impact of a particular type of operational loss occurring (for example, fraud, damage to physical assets);
  3. (3) a firm's operational risk profile describes the types of operational risks that it faces, including those operational risks within a firm that may have an adverse impact upon the quality of service afforded to its clients, and its exposure to these risks.

SYSC 3A.6

People

SYSC 3A.6.1

See Notes

handbook-guidance

A firm should consult SYSC 3.2.2 G to SYSC 3.2.5 G for guidance on reporting lines and delegation of functions within a firm and SYSC 3.2.13 G to SYSC 3.2.14 G for guidance on the suitability of employees and appointed representatives. This section provides additional guidance on management of employees and other human resources in the context of operational risk.

SYSC 3A.6.2

See Notes

handbook-guidance

A firm should establish and maintain appropriate systems and controls for the management of operational risks that can arise from employees. In doing so, a firm should have regard to:

  1. (1) its operational risk culture, and any variations in this or its human resource management practices, across its operations (including, for example, the extent to which the compliance culture is extended to in-house IT staff);
  2. (2) whether the way employees are remunerated exposes the firm to the risk that it will not be able to meet its regulatory obligations (see SYSC 3.2.18 G). For example, a firm should consider how well remuneration and performance indicators reflect the firm's tolerance for operational risk, and the adequacy of these indicators for measuring performance;
  3. (3) whether inadequate or inappropriate training of client-facing services exposes clients to risk of loss or unfair treatment including by not enabling effective communication with the firm;
  4. (4) the extent of its compliance with applicable regulatory and other requirements that relate to the welfare and conduct of employees;
  5. (5) its arrangements for the continuity of operations in the event of employee unavailability or loss;
  6. (6) the relationship between indicators of 'people risk' (such as overtime, sickness, and employee turnover levels) and exposure to operational losses; and
  7. (7) the relevance of all the above to employees of a third party supplier who are involved in performing an outsourcing arrangement. As necessary, a firm should review and consider the adequacy of the staffing arrangements and policies of a service provider.

Employee Responsibilities

SYSC 3A.6.3

See Notes

handbook-guidance

A firm should ensure that all employees are capable of performing, and aware of, their operational risk management responsibilities, including by establishing and maintaining:

  1. (1) appropriate segregation of employees' duties and appropriate supervision of employees in the performance of their responsibilities (see SYSC 3.2.5 G);
  2. (2) appropriate recruitment and subsequent processes to review the fitness and propriety of employees (see SYSC 3.2.13 G and SYSC 3.2.14 G);
  3. (3) clear policy statements and appropriate systems and procedures manuals that are effectively communicated to employees and available for employees to refer to as required. These should cover, for example, compliance, IT security and health and safety issues;
  4. (4) training processes that enable employees to attain and maintain appropriate competence; and
  5. (5) appropriate and properly enforced disciplinary and employment termination policies and procedures.

SYSC 3A.6.4

See Notes

handbook-guidance

A firm should have regard to SYSC 3A.6.3 G in relation to approved persons, people occupying positions of high personal trust (for example, security administration, payment and settlement functions); and people occupying positions requiring significant technical competence (for example, derivatives trading and technical security administration). A firm should also consider the rules and guidance for approved persons in other parts of the Handbook (including APER and SUP) and the rules and guidance on senior manager responsibilities in SYSC 2.1 (Apportionment of Responsibilities).

SYSC 3A.7

Processes and systems

SYSC 3A.7.1

See Notes

handbook-guidance

A firm should establish and maintain appropriate systems and controls for managing operational risks that can arise from inadequacies or failures in its processes and systems (and, as appropriate, the systems and processes of third party suppliers, agents and others). In doing so a firm should have regard to:

  1. (1) the importance and complexity of processes and systems used in the end-to-end operating cycle for products and activities (for example, the level of integration of systems);
  2. (2) controls that will help it to prevent system and process failures or identify them to permit prompt rectification (including pre-approval or reconciliation processes);
  3. (3) whether the design and use of its processes and systems allow it to comply adequately with regulatory and other requirements;
  4. (4) its arrangements for the continuity of operations in the event that a significant process or system becomes unavailable or is destroyed; and
  5. (5) the importance of monitoring indicators of process or system risk (including reconciliation exceptions, compensation payments for client losses and documentation errors) and experience of operational losses and exposures.

Internal documentation

SYSC 3A.7.2

See Notes

handbook-guidance

Internal documentation may enhance understanding and aid continuity of operations, so a firm should ensure the adequacy of its internal documentation of processes and systems (including how documentation is developed, maintained and distributed) in managing operational risk.

External documentation

SYSC 3A.7.3

See Notes

handbook-guidance

A firm may use external documentation (including contracts, transaction statements or advertising brochures) to define or clarify terms and conditions for its products or activities, its business strategy (for example, including through press statements), or its brand. Inappropriate or inaccurate information in external documents can lead to significant operational exposure.

SYSC 3A.7.4

See Notes

handbook-guidance

A firm should ensure the adequacy of its processes and systems to review external documentation prior to issue (including review by its compliance, legal and marketing departments or by appropriately qualified external advisers). In doing so a firm should have regard to:

  1. (1) compliance with applicable regulatory and other requirements (such as COB 3 (Financial promotion));
  2. (2) the extent to which its documentation uses standard terms (that are widely recognised, and have been tested in the courts) or non-standard terms (whose meaning may not yet be settled or whose effectiveness may be uncertain);
  3. (3) the manner in which its documentation is issued; and
  4. (4) the extent to which confirmation of acceptance is required (including by customer signature or counterparty confirmation).

IT systems

SYSC 3A.7.5

See Notes

handbook-guidance

IT systems include the computer systems and infrastructure required for the automation of processes, such as application and operating system software; network infrastructure; and desktop, server, and mainframe hardware. Automation may reduce a firm's exposure to some 'people risks' (including by reducing human errors or controlling access rights to enable segregation of duties), but will increase its dependency on the reliability of its IT systems.

SYSC 3A.7.6

See Notes

handbook-guidance

A firm should establish and maintain appropriate systems and controls for the management of its IT system risks, having regard to:

  1. (1) its organisation and reporting structure for technology operations (including the adequacy of senior management oversight);
  2. (2) the extent to which technology requirements are addressed in its business strategy;
  3. (3) the appropriateness of its systems acquisition, development and maintenance activities (including the allocation of responsibilities between IT development and operational areas, processes for embedding security requirements into systems); and
  4. (4) the appropriateness of its activities supporting the operation of IT systems (including the allocation of responsibilities between business and technology areas).

Information security

SYSC 3A.7.7

See Notes

handbook-guidance

Failures in processing information (whether physical, electronic or known by employees but not recorded) or of the security of the systems that maintain it can lead to significant operational losses. A firm should establish and maintain appropriate systems and controls to manage its information security risks. In doing so a firm should have regard to:

  1. (1) confidentiality: information should be accessible only to persons or systems with appropriate authority, which may require firewalls within a system, as well as entry restrictions;
  2. (2) integrity: safeguarding the accuracy and completeness of information and its processing;
  3. (3) availability and authentication: ensuring that appropriately authorised persons or systems have access to the information when required and that their identity is verified;
  4. (4) non-repudiation and accountability: ensuring that the person or system that processed the information cannot deny their actions.

SYSC 3A.7.8

See Notes

handbook-guidance

A firm should ensure the adequacy of the systems and controls used to protect the processing and security of its information, and should have regard to established security standards such as ISO17799 (Information Security Management).

Geographic location

SYSC 3A.7.9

See Notes

handbook-guidance

Operating processes and systems at separate geographic locations may alter a firm's operational risk profile (including by allowing alternative sites for the continuity of operations). A firm should understand the effect of any differences in processes and systems at each of its locations, particularly if they are in different countries, having regard to:

  1. (1) the business operating environment of each country (for example, the likelihood and impact of political disruptions or cultural differences on the provision of services);
  2. (2) relevant local regulatory and other requirements regarding data protection and transfer;
  3. (3) the extent to which local regulatory and other requirements may restrict its ability to meet regulatory obligations in the United Kingdom (for example, access to information by the FSA and local restrictions on internal or external audit); and
  4. (4) the timeliness of information flows to and from its headquarters and whether the level of delegated authority and the risk management structures of the overseas operation are compatible with the firm's head office arrangements.

SYSC 3A.8

External events and other changes

SYSC 3A.8.1

See Notes

handbook-guidance

The exposure of a firm to operational risk may increase during times of significant change to its organisation, infrastructure and business operating environment (for example, following a corporate restructure or changes in regulatory requirements). Before, during, and after expected changes, a firm should assess and monitor their effect on its risk profile, including with regard to:

  1. (1) untrained or de-motivated employees or a significant loss of employees during the period of change, or subsequently;
  2. (2) inadequate human resources or inexperienced employees carrying out routine business activities owing to the prioritisation of resources to the programme or project;
  3. (3) process or system instability and poor management information due to failures in integration or increased demand; and
  4. (4) inadequate or inappropriate processes following business re-engineering.

SYSC 3A.8.2

See Notes

handbook-guidance

A firm should establish and maintain appropriate systems and controls for the management of the risks involved in expected changes, such as by ensuring:

  1. (1) the adequacy of its organisation and reporting structure for managing the change (including the adequacy of senior management oversight);
  2. (2) the adequacy of the management processes and systems for managing the change (including planning, approval, implementation and review processes); and
  3. (3) the adequacy of its strategy for communicating changes in systems and controls to its employees.

Unexpected changes and business continuity management

SYSC 3A.8.3

See Notes

handbook-guidance

SYSC 3.2.19 G provides high level guidance on business continuity. This section provides additional guidance on managing business continuity in the context of operational risk.

SYSC 3A.8.4

See Notes

handbook-guidance

The high level requirement for appropriate systems and controls at SYSC 3.1.1 R applies at all times, including when a business continuity plan is invoked. However, the FSA recognises that, in an emergency, a firm may be unable to comply with a particular rule and the conditions for relief are outlined in GEN 1.3 (Emergency).

SYSC 3A.8.5

See Notes

handbook-guidance

A firm should consider the likelihood and impact of a disruption to the continuity of its operations from unexpected events. This should include assessing the disruptions to which it is particularly susceptible (and the likely timescale of those disruptions) including through:

  1. (1) loss or failure of internal and external resources (such as people, systems and other assets);
  2. (2) the loss or corruption of its information; and
  3. (3) external events (such as vandalism, war and "acts of God").

SYSC 3A.8.6

See Notes

handbook-guidance

A firm should implement appropriate arrangements to maintain the continuity of its operations. A firm should act to reduce both the likelihood of a disruption (including by succession planning, systems resilience and dual processing); and the impact of a disruption (including by contingency arrangements and insurance).

SYSC 3A.8.7

See Notes

handbook-guidance

A firm should document its strategy for maintaining continuity of its operations, and its plans for communicating and regularly testing the adequacy and effectiveness of this strategy. A firm should establish:

  1. (1) formal business continuity plans that outline arrangements to reduce the impact of a short, medium or long-term disruption, including:
    1. (a) resource requirements such as people, systems and other assets, and arrangements for obtaining these resources;
    2. (b) the recovery priorities for the firm's operations; and
    3. (c) communication arrangements for internal and external concerned parties (including the FSA, clients and the press);
  2. (2) escalation and invocation plans that outline the processes for implementing the business continuity plans, together with relevant contact information;
  3. (3) processes to validate the integrity of information affected by the disruption;
  4. (4) processes to review and update (1) to (3) following changes to the firm's operations or risk profile (including changes identified through testing).

SYSC 3A.8.8

See Notes

handbook-guidance

The use of an alternative site for recovery of operations is common practice in business continuity management. A firm that uses an alternative site should assess the appropriateness of the site, particularly for location, speed of recovery and adequacy of resources. Where a site is shared, a firm should evaluate the risk of multiple calls on shared resources and adjust its plans accordingly.

SYSC 3A.9

Outsourcing

SYSC 3A.9.1

See Notes

handbook-guidance

As SYSC 3.2.4 G explains, a firm cannot contract out its regulatory obligations and should take reasonable care to supervise the discharge of outsourcing functions. This section provides additional guidance on managing outsourcing arrangements (and will be relevant, to some extent, to other forms of third party dependency) in relation to operational risk. Outsourcing may affect a firm's exposure to operational risk through significant changes to, and reduced control over, people, processes and systems used in outsourced activities.

SYSC 3A.9.2

See Notes

handbook-guidance

Firms should take particular care to manage material outsourcing arrangements and, as SUP 15.3.8 G (1)(e) explains, a firm should notify the FSA when it intends to enter into a material outsourcing arrangement.

SYSC 3A.9.3

See Notes

handbook-guidance

A firm should not assume that because a service provider is either a regulated firm or an intra-group entity an outsourcing arrangement with that provider will, in itself, necessarily imply a reduction in operational risk.

SYSC 3A.9.4

See Notes

handbook-guidance

Before entering into, or significantly changing, an outsourcing arrangement, a firm should:

  1. (1) analyse how the arrangement will fit with its organisation and reporting structure; business strategy; overall risk profile; and ability to meet its regulatory obligations;
  2. (2) consider whether the agreements establishing the arrangement will allow it to monitor and control its operational risk exposure relating to the outsourcing;
  3. (3) conduct appropriate due diligence of the service provider's financial stability and expertise;
  4. (4) consider how it will ensure a smooth transition of its operations from its current arrangements to a new or changed outsourcing arrangement (including what will happen on the termination of the contract); and
  5. (5) consider any concentration risk implications such as the business continuity implications that may arise if a single service provider is used by several firms.

SYSC 3A.9.5

See Notes

handbook-guidance

In negotiating its contract with a service provider, a firm should have regard to:

  1. (1) reporting or notification requirements it may wish to impose on the service provider;
  2. (2) whether sufficient access will be available to its internal auditors, external auditors or actuaries (see section 341 of the Act) and to the FSA (see SUP 2.3.5 R (Access to premises) and SUP 2.3.7 R (Suppliers under material outsourcing arrangements);
  3. (3) information ownership rights, confidentiality agreements and Chinese walls to protect client and other information (including arrangements at the termination of the contract);
  4. (4) the adequacy of any guarantees and indemnities;
  5. (5) the extent to which the service provider must comply with the firm's policies and procedures (covering, for example, information security);
  6. (6) the extent to which a service provider will provide business continuity for outsourcing operations, and whether exclusive access to its resources is agreed;
  7. (7) the need for continued availability of software following difficulty at a third party supplier;
  8. (8) the processes for making changes to the outsourcing arrangement (for example, changes in processing volumes, activities and other contractual terms) and the conditions under which the firm or service provider can choose to change or terminate the outsourcing arrangement, such as where there is:
    1. (a) a change of ownership or control (including insolvency or receivership) of the service provider or firm;
    2. (b) significant change in the business operations (including sub-contracting) of the service provider or firm; or
    3. (c) inadequate provision of services that may lead to the firm being unable to meet its regulatory obligations.

SYSC 3A.9.6

See Notes

handbook-guidance

In implementing a relationship management framework, and drafting the service level agreement with the service provider, a firm should have regard to:

  1. (1) the identification of qualitative and quantitative performance targets to assess the adequacy of service provision, to both the firm and its clients, where appropriate;
  2. (2) the evaluation of performance through service delivery reports and periodic self certification or independent review by internal or external auditors; and
  3. (3) remedial action and escalation processes for dealing with inadequate performance.

SYSC 3A.9.7

See Notes

handbook-guidance

In some circumstances, a firm may find it beneficial to use externally validated reports commissioned by the service provider, to seek comfort as to the adequacy and effectiveness of its systems and controls. The use of such reports does not absolve the firm of responsibility to maintain other oversight. In addition, the firm should not normally have to forfeit its right to access, for itself or its agents, to the service provider's premises.

SYSC 3A.9.8

See Notes

handbook-guidance

A firm should ensure that it has appropriate contingency arrangements to allow business continuity in the event of a significant loss of services from the service provider. Particular issues to consider include a significant loss of resources at, or financial failure of, the service provider, and unexpected termination of the outsourcing arrangement.

SYSC 3A.10

Insurance

SYSC 3A.10.1

See Notes

handbook-guidance

Whilst a firm may take out insurance with the aim of reducing the monetary impact of operational risk events, non-monetary impacts may remain (including impact on the firm's reputation). A firm should not assume that insurance alone can replace robust systems and controls.

SYSC 3A.10.2

See Notes

handbook-guidance

When considering utilising insurance, a firm should consider:

  1. (1) the time taken for the insurer to pay claims (including the potential time taken in disputing cover) and the firm's funding of operations whilst awaiting payment of claims;
  2. (2) the financial strength of the insurer, which may determine its ability to pay claims, particularly where large or numerous small claims are made at the same time; and
  3. (3) the effect of any limiting conditions and exclusion clauses that may restrict cover to a small number of specific operational losses and may exclude larger or hard to quantify indirect losses (such as lost business or reputational costs).

SYSC 4

Guidance on Public Interest Disclosure Act: Whistleblowing

SYSC 4.1

Application and purpose

SYSC 4.1.1

See Notes

handbook-guidance

This chapter is relevant to every firm to the extent that the Public Interest Disclosure Act 1998 ("PIDA") applies to it.

Purpose

SYSC 4.1.2

See Notes

handbook-guidance
  1. (1) The purposes of this chapter are:
    1. (a) to remind firms of the provisions of PIDA; and
    2. (b) to encourage firms to consider adopting and communicating to workers appropriate internal procedures for handling workers' concerns as part of an effective risk management system.
  2. (2) In this chapter "worker" includes, but is not limited to, an individual who has entered into a contract of employment.

SYSC 4.1.3

See Notes

handbook-guidance

The guidance in this chapter concerns the effect of PIDA in the context of the relationship between firms and the FSA. It is not comprehensive guidance on PIDA itself.

SYSC 4.1.8A

See Notes

handbook-rule

An operator of an electronic system in relation to lending must take reasonable steps to ensure that arrangements are in place to ensure that P2P agreements facilitated by it will continue to be managed and administered, in accordance with the contract terms, if at any time it ceases to carry on the activity of operating an electronic system in relation to lending

SYSC 4.2

Practical measures

Effect of PIDA

SYSC 4.2.1

See Notes

handbook-guidance
  1. (1) Under PIDA, any clause or term in an agreement between a worker and his employer is void in so far as it purports to preclude the worker from making a protected disclosure (that is, "blow the whistle").
  2. (2) In accordance with section 1 of PIDA:
    1. (a) a protected disclosure is a qualifying disclosure which meets the relevant requirements set out in that section;
    2. (b) a qualifying disclosure is a disclosure, made in good faith, of information which, in the reasonable belief of the worker making the disclosure, tends to show that one or more of the following (a "failure") has been, is being, or is likely to be, committed:
      1. (i) a criminal offence; or
      2. (ii) a failure to comply with any legal obligation; or
      3. (iii) a miscarriage of justice; or
      4. (iv) the putting of the health and safety of any individual in danger; or
      5. (v) damage to the environment; or
      6. (vi) deliberate concealment relating to any of (i) to (v);
it is immaterial whether the relevant failure occurred, occurs or would occur in the United Kingdom or elsewhere, and whether the law applying to it is that of the United Kingdom or of any other country or territory.

Internal procedures

SYSC 4.2.2

See Notes

handbook-guidance
  1. (1) Firms are encouraged to consider adopting (and encouraged to invite their appointed representatives to consider adopting) appropriate internal procedures which will encourage workers with concerns to blow the whistle internally about matters which are relevant to the functions of the FSA.
  2. (2) Smaller firms may choose not to have as extensive procedures in place as larger firms. For example, smaller firms may not need written procedures. The following is a list of things that larger and smaller firms may want to do.
    1. (a) For larger firms, appropriate internal procedures may include:
      1. (i) a clear statement that the firm takes failures seriously (see SYSC 4.2.1 G (2)(b));
      2. (ii) an indication of what is regarded as a failure;
      3. (iii) respect for the confidentiality of workers who raise concerns, if they wish this;
      4. (iv) an assurance that, where a protected disclosure has been made, the firm will take all reasonable steps to ensure that no person under its control engages in victimisation;
      5. (v) the opportunity to raise concerns outside the line management structure, such as with the Compliance Director, Internal Auditor or Company Secretary;
      6. (vi) penalties for making false and malicious allegations;
      7. (vii) an indication of the proper way in which concerns may be raised outside the firm if necessary (see (3);
      8. (viii) providing access to an external body such as an independent charity for advice;
      9. (ix) making whistleblowing procedures accessible to staff of key contractors; and
      10. (x) written procedures.
    2. (b) For smaller firms, appropriate internal procedures may include:
      1. (i) telling workers that the firm takes failures seriously (see SYSC 4.2.1 G (2)(b)) and explaining how wrongdoing affects the organisation;
      2. (ii) telling workers what conduct is regarded as failure;
      3. (iii) telling workers who raise concerns that their confidentiality will be respected, if they wish this;
      4. (iv) making it clear that concerned workers will be supported and protected from reprisals;
      5. (v) nominating a senior officer as an alternative route to line management and telling workers how they can contact that individual in confidence;
      6. (vi) making it clear that false and malicious allegations will be penalised by the firm;
      7. (vii) telling workers how they can properly blow the whistle outside the firm if necessary (see (3);
      8. (viii) providing access to an external body for advice such as an independent charity for advice; and
      9. (ix) encouraging managers to be open to concerns.
  3. (3)
    1. (a) Firms should also consider telling workers (through the firm's internal procedures, or by means of an information sheet available from the FSA's website, or by some other means) that they can blow the whistle to the FSA, as the regulator prescribed in respect of financial services and markets matters under PIDA.
    2. (b) The FSA will give priority to live concerns or matters of recent history, and will emphasise that the worker's first port of call should ordinarily be the firm (see Frequently Asked Questions on www.fsa.gov.uk/whistle/).
    3. (c) For the FSA's treatment of confidential information, see SUP 2.2.4 G.

Links to fitness and propriety

SYSC 4.2.3

See Notes

handbook-guidance

The FSA would regard as a serious matter any evidence that a firm had acted to the detriment of a worker because he had made a protected disclosure (see SYSC 4.2.1 G (2) about matters which are relevant to the functions of the FSA. Such evidence could call into question the fitness and propriety of the firm or relevant members of its staff, and could therefore, if relevant, affect the firm's continuing satisfaction of threshold condition 5 (Suitability) or, for an approved person, his status as such.

SYSC 11

Liquidity risk systems and controls

SYSC 11.1

Application

SYSC 11.1.1

See Notes

handbook-rule

SYSC 11 applies to:

  1. (1) an insurer, unless it is an EEA-deposit insurer or a Swiss general insurer;
  2. (2) a BIPRU firm;
  3. (3) an incoming EEA firm which:
    1. (a) is a full BCD credit institution; and
    2. (b) has a branch in the United Kingdom;
  4. (4) a third country BIPRU firm which:
    1. (a) is a bank; and
    2. (b) has a branch in the United Kingdom.

[Note: first paragraph of article 41 of the Banking Consolidation Directive]

SYSC 11.1.2

See Notes

handbook-rule
If this chapter applies because the firm has a branch in the United Kingdom (see SYSC 11.1.1R (3) or SYSC 11.1.1R (4)), SYSC 11 applies only with respect to the branch.

SYSC 11.1.3

See Notes

handbook-rule
SYSC 11 applies to an incoming EEA firm only to the extent that the relevant matter is not reserved by the relevant Single Market Directive to the firm's Home State regulator.

SYSC 11.1.4

See Notes

handbook-rule

SYSC 11 does not apply to:

  1. (1) a non-directive friendly society; or
  2. (2) a UCITS qualifier; or
  3. (3) an ICVC; or
  4. (4) an incoming EEA firm (unless it has a branch in the United Kingdom - see SYSC 11.1.1R (3)); or
  5. (5) an incoming Treaty firm.

SYSC 11.1.5

See Notes

handbook-guidance
  1. (1) SYSC 11.1.11 R and SYSC 11.1.12 R apply only to a BIPRU firm.
  2. (2) SYSC 11.1.26 G to SYSC 11.1.32 G do not apply to insurers.

SYSC 11.1.6

See Notes

handbook-rule

If a firm carries on:

  1. (1) long-term insurance business; and
  2. (2) general insurance business;

SYSC 11 applies separately to each type of business.

Purpose

SYSC 11.1.7

See Notes

handbook-guidance

The purpose of SYSC 11 is to amplify GENPRU and SYSC in their specific application to liquidity risk and, in so doing, to indicate minimum standards for systems and controls in respect of that risk.

SYSC 11.1.8

See Notes

handbook-guidance

Appropriate systems and controls for the management of liquidity risk will vary with the scale, nature and complexity of the firm's activities. Most of the material in SYSC 11 is, therefore, guidance. SYSC 11 lays out some of the main issues that the FSA expects a firm to consider in relation to liquidity risk. A firm should assess the appropriateness of any particular item of guidance in the light of the scale, nature and complexity of its activities as well as its obligations as set out in Principle 3 to organise and control its affairs responsibly and effectively.

SYSC 11.1.9

See Notes

handbook-guidance

SYSC 11 addresses the need to have appropriate systems and controls to deal both with liquidity management issues under normal market conditions, and with stressed or extreme situations resulting from either general market turbulence or firm-specific difficulties.

SYSC 11.1.10

See Notes

handbook-guidance

SYSC 11.1.11 R and SYSC 11.1.12 R implement the specific liquidity risk requirements of the BCD.

Requirements

SYSC 11.1.11

See Notes

handbook-rule

A BIPRU firm must have policies and processes for the measurement and management of its net funding position and requirements on an ongoing and forward looking basis. Alternative scenarios must be considered and the assumptions underpinning decisions concerning the net funding position must be reviewed regularly.

[Note: annex V paragraph 14 of the Banking Consolidation Directive]

SYSC 11.1.12

See Notes

handbook-rule

A BIPRU firm must have contingency plans in place to deal with liquidity crises.

[Note: annex V paragraph 15 of the Banking Consolidation Directive]

SYSC 11.1.13

See Notes

handbook-guidance

An insurer is also required to comply with the requirements in relation to liquidity risk set out in INSPRU 4.1.

SYSC 11.1.14

See Notes

handbook-guidance

SYSC 4.1.1 R requires a BIPRU firm to have effective processes to identify, manage, monitor and report the risks it is or might be exposed to. A BIPRU firm is required by SYSC 7.1.2 R to establish, implement and maintain adequate risk management policies and procedures, including effective procedures for risk assessment. Liquidity risk is one of the risks covered by both of those requirements.

SYSC 11.1.15

See Notes

handbook-guidance

A UK bank, a branch of an EEA bank and a branch of an overseas bank is required in IPRU(BANK) GN 3.4.3 to set out its policy on the management of its liquidity. Guidance on a bank's liquidity policy statement is given in IPRU(BANK) LM Section 10. Guidance on a bank's management of liquidity risk is given in IPRU(BANK) LM Sections 2 and 9.

SYSC 11.1.16

See Notes

handbook-guidance

A building society is required by IPRU(BSOC) 5.2.7 R to maintain a board-approved policy statement on liquidity. Guidance on a building society's liquidity policy statement is given in IPRU(BSOC) 5.2.8 and IPRU(BSOC) Annex 5B Guidance on a building society's management of liquidity risk is given in IPRU(BSOC) Sections 5.3 to 5.8.

SYSC 11.1.17

See Notes

handbook-guidance

High level requirements in relation to carrying out stress testing and scenario analysis are set out in GENPRU 1.2. In particular, GENPRU 1.2.42R requires a firm to carry out appropriate stress testing and scenario analysis. SYSC 11 gives guidance in relation to these tests in the case of liquidity risk.

Stress testing and scenario analysis

SYSC 11.1.18

See Notes

handbook-guidance

The effect of GENPRU 1.2.30R, GENPRU 1.2.34R, GENPRU 1.2.37R(1) and GENPRU 1.2.42R is that, for the purposes of determining the adequacy of its overall financial resources, a firm must carry out appropriate stress testing and scenario analysis, including taking reasonable steps to identify an appropriate range of realistic adverse circumstances and events in which liquidity risk might occur or crystallise.

SYSC 11.1.19

See Notes

handbook-guidance

GENPRU 1.2.40G and GENPRU 1.2.62G to GENPRU 1.2.78G give guidance on stress testing and scenario analysis, including on how to choose appropriate scenarios, but the precise scenarios that a firm chooses to use will depend on the nature of its activities. For the purposes of testing liquidity risk, however, a firm should normally consider scenarios based on varying degrees of stress and both firm-specific and market-wide difficulties. In developing any scenario of extreme market-wide stress that may pose systemic risk, it may be appropriate for a firm to make assumptions about the likelihood and nature of central bank intervention.

SYSC 11.1.20

See Notes

handbook-guidance

A firm should review frequently the assumptions used in stress testing scenarios to gain assurance that they continue to be appropriate.

SYSC 11.1.21

See Notes

handbook-evidential-provisions
  1. (1) A scenario analysis in relation to liquidity risk required under GENPRU 1.2.42R should include a cash-flow projection for each scenario tested, based on reasonable estimates of the impact (both on and off balance sheet) of that scenario on the firm's funding needs and sources.
  2. (2) Contravention of (1) may be relied on as tending to establish contravention of GENPRU 1.2.42R.

SYSC 11.1.22

See Notes

handbook-guidance

In identifying the possible on and off balance sheet impact referred to in SYSC 11.1.21E (1), a firm may take into account:

  1. (1) possible changes in the market's perception of the firm and the effects that this might have on the firm's access to the markets, including:
    1. (a) (where the firm funds its holdings of assets in one currency with liabilities in another) access to foreign exchange markets, particularly in less frequently traded currencies;
    2. (b) access to secured funding, including by way of repo transactions; and
    3. (c) the extent to which the firm may rely on committed facilities made available to it;
  2. (2) (if applicable) the possible effect of each scenario analysed on currencies whose exchange rates are currently pegged or fixed; and
  3. (3) that:
    1. (a) general market turbulence may trigger a substantial increase in the extent to which persons exercise rights against the firm under off balance sheet instruments to which the firm is party;
    2. (b) access to OTC derivative and foreign exchange markets are sensitive to credit-ratings;
    3. (c) the scenario may involve the triggering of early amortisation in asset securitisation transactions with which the firm has a connection; and
    4. (d) its ability to securitise assets may be reduced.

Contingency funding plans

SYSC 11.1.23

See Notes

handbook-guidance

GENPRU 1.2.26R states that a firm must at all times maintain overall financial resources adequate to ensure that there is no significant risk that its liabilities cannot be met as they fall due. GENPRU 1.2.42R(1)(b) provides that for the purposes of determining the adequacy of its overall financial resources, a firm must estimate the financial resources it would need in each of the circumstances and events considered in carrying out its stress testing and scenario analysis in order to, inter alia, meet its liabilities as they fall due.

SYSC 11.1.24

See Notes

handbook-evidential-provisions
  1. (1) A firm should have an adequately documented contingency funding plan for taking action to ensure, so far as it can, that, in each of the scenarios analysed under GENPRU 1.2.42R(1)(b), it would still have sufficient liquid financial resources to meet liabilities as they fall due.
  2. (2) The contingency funding plan should cover what events or circumstances will lead the firm to put into action any part of the plan.
  3. (3) The contingency funding plan of a firm described in SYSC 11.1.1R (2) to SYSC 11.1.1R (4) should cover the extent to which the actions in (1) include:
    1. (a) selling, using as collateral in secured funding (including repo), or securitising, its assets;
    2. (b) otherwise reducing its assets;
    3. (c) modifying the structure of its liabilities or increasing its liabilities; and
    4. (d) the use of committed facilities.
  4. (4) A firm's contingency funding plan should, where relevant, take account of the impact of stressed market conditions on:
    1. (a) the behaviour of any credit-sensitive liabilities it has; and
    2. (b) its ability to securitise assets.
  5. (5) A firm's contingency funding plan should contain administrative policies and procedures that will enable the firm to manage the plan's implementation effectively, including:
    1. (a) the responsibilities of senior management;
    2. (b) names and contact details of members of the team responsible for implementing the contingency funding plan;
    3. (c) where, geographically, team members will be assigned;
    4. (d) who within the team is responsible for contact with head office (if appropriate), analysts, investors, external auditors, press, significant client's, regulators, lawyers and others; and
    5. (e) mechanisms that enable senior management and the governing body to receive management information that is both relevant and timely.
  6. (6) Contravention of any of (1) to (5) may be relied upon as tending to establish contravention of GENPRU 1.2.30R(2)(c).

Documentation

SYSC 11.1.25

See Notes

handbook-guidance

GENPRU 1.2.60R requires a firm to document its assessment of the adequacy of its liquidity financial resources, how it intends to deal with those risks, and details of the stress tests and scenario analyses carried out and the resulting financial resources estimated to be required. Accordingly, a firm should document both its stress testing and scenario analysis (see SYSC 11.1.18 G) and its contingency funding plan (see SYSC 11.1.23 G).

Management information systems

SYSC 11.1.26

See Notes

handbook-guidance

A firm should have adequate information systems for controlling and reporting liquidity risk. The management information system should be used to check for compliance with the firm's established policies, procedures and limits.

SYSC 11.1.27

See Notes

handbook-guidance

Reports on liquidity risk should be provided on a timely basis to the firm's governing body, senior management and other appropriate personnel. The appropriate content and format of reports depends on a firm's liquidity management practices and the nature, scale and complexity of the firm's business. Reports to the firm's governing body may be less detailed and less frequent than reports to senior management with responsibility for managing liquidity risk.

SYSC 11.1.28

See Notes

handbook-guidance

The FSA would expect management information to normally contain the following:

  1. (1) a cash-flow or funding gap report;
  2. (2) a funding maturity schedule;
  3. (3) a list of large providers of funding; and
  4. (4) a limit monitoring and exception report.

SYSC 11.1.29

See Notes

handbook-guidance

When considering what else might be included in liquidity risk management information, a firm should consider other types of information that may be important for understanding its liquidity risk profile. This may include:

  1. (1) asset quality and trends;
  2. (2) any changes in the firm's funding strategy;
  3. (3) earnings projections; and
  4. (4) the firm's reputation in the market and the condition of the market itself.

Limit setting

SYSC 11.1.30

See Notes

handbook-guidance

A firm's senior management should decide what limits need to be set, in accordance with the nature, scale and complexity of its activities. The structure of limits should reflect the need for a firm to have systems and controls in place to guard against a spectrum of possible risks, from those arising in day-to-day liquidity risk management to those arising in stressed conditions.

SYSC 11.1.31

See Notes

handbook-guidance

A firm should periodically review and, where appropriate, adjust its limits when conditions or risk tolerances change.

SYSC 11.1.32

See Notes

handbook-guidance

Policy or limit exceptions should receive the prompt attention of the appropriate management and should be resolved according to processes described in approved policies.

SYSC 13

Operational risk: systems and controls

SYSC 13.1

Application

SYSC 13.1.2

See Notes

handbook-guidance

SYSC 13 applies to:

only in respect of the activities of the firm carried on from a branch in the United Kingdom.

SYSC 13.1.3

See Notes

handbook-guidance
SYSC 13 applies to a UK ISPV.

SYSC 13.2

Purpose

SYSC 13.2.1

See Notes

handbook-guidance
SYSC 13 provides guidance on how to interpret SYSC 3.1.1 R and SYSC 3.2.6 R, which deal with the establishment and maintenance of systems and controls, in relation to the management of operational risk. Operational risk has been described by the Basel Committee on Banking Supervision as "the risk of loss, resulting from inadequate or failed internal processes, people and systems, or from external events". This chapter covers systems and controls for managing risks concerning any of a firm's operations, such as its IT systems and outsourcing arrangements. It does not cover systems and controls for managing credit, market, liquidity and insurance risk.

SYSC 13.2.2

See Notes

handbook-guidance
Operational risk is a concept that can have a different application for different firms. A firm should assess the appropriateness of the guidance in this chapter in the light of the scale, nature and complexity of its activities as well as its obligations as set out in Principle 3, to organise and control its affairs responsibly and effectively.

SYSC 13.2.3

See Notes

handbook-guidance
A firm should take steps to understand the types of operational risk that are relevant to its particular circumstances, and the operational losses to which they expose the firm. This should include considering the potential sources of operational risk addressed in this chapter: people; processes and systems; external events.

SYSC 13.2.4

See Notes

handbook-guidance
Operational risk can affect, amongst other things, a firm's solvency, or lead to unfair treatment of consumers or lead to financial crime. A firm should consider all operational risk events that may affect these matters in establishing and maintaining its systems and controls.

SYSC 13.3

Other related Handbook sections

SYSC 13.3.1

See Notes

handbook-guidance

The following is a non-exhaustive list of rules and guidance in the Handbook that are relevant to a firm's management of operational risk:

  1. (1) SYSC 14 and INSPRU 5.1 contain specific rules and guidance for the establishment and maintenance of operational risk systems and controls in a prudential context.
  2. (2) COB contains rules and guidance that can relate to the management of operational risk; for example, COB 2 (Rules which apply to all firms conducting designated investment business), COB 3 (Financial promotion), COB 5 (Advising and selling), COB 7 (Dealing and managing) and COB 9 (Client assets).

SYSC 13.4

Requirements to notify the FSA

SYSC 13.4.1

See Notes

handbook-guidance
Under Principle 11 and SUP 15.3.1 R, a firm must notify the FSA immediately of any operational risk matter of which the FSA would reasonably expect notice. SUP 15.3.8 G provides guidance on the occurrences that this requirement covers, which include a significant failure in systems and controls and a significant operational loss.

SYSC 13.4.2

See Notes

handbook-guidance

Regarding operational risk, matters of which the FSA would expect notice under Principle 11 include:

  1. (1) any significant operational exposures that a firm has identified;
  2. (2) the firm's invocation of a business continuity plan; and
  3. (3) any other significant change to a firm's organisation, infrastructure or business operating environment.

SYSC 13.5

Risk management terms

SYSC 13.5.1

See Notes

handbook-guidance

In this chapter, the following interpretations of risk management terms apply:

  1. (1) a firm's risk culture encompasses the general awareness, attitude and behaviour of its employees and appointed representatives to risk and the management of risk within the organisation;
  2. (2) operational exposure means the degree of operational risk faced by a firm and is usually expressed in terms of the likelihood and impact of a particular type of operational loss occurring (for example, fraud, damage to physical assets);
  3. (3) a firm's operational risk profile describes the types of operational risks that it faces, including those operational risks within a firm that may have an adverse impact upon the quality of service afforded to its clients, and its exposure to these risks.

SYSC 13.6

People

SYSC 13.6.1

See Notes

handbook-guidance
A firm should consult SYSC 3.2.2 G to SYSC 3.2.5 G for guidance on reporting lines and delegation of functions within a firm and SYSC 3.2.13 G to SYSC 3.2.14 G for guidance on the suitability of employees and appointed representatives. This section provides additional guidance on management of employees and other human resources in the context of operational risk.

SYSC 13.6.2

See Notes

handbook-guidance

A firm should establish and maintain appropriate systems and controls for the management of operational risks that can arise from employees. In doing so, a firm should have regard to:

  1. (1) its operational risk culture, and any variations in this or its human resource management practices, across its operations (including, for example, the extent to which the compliance culture is extended to in-house IT staff);
  2. (2) whether the way employees are remunerated exposes the firm to the risk that it will not be able to meet its regulatory obligations (see SYSC 3.2.18 G). For example, a firm should consider how well remuneration and performance indicators reflect the firm's tolerance for operational risk, and the adequacy of these indicators for measuring performance;
  3. (3) whether inadequate or inappropriate training of client-facing services exposes clients to risk of loss or unfair treatment including by not enabling effective communication with the firm;
  4. (4) the extent of its compliance with applicable regulatory and other requirements that relate to the welfare and conduct of employees;
  5. (5) its arrangements for the continuity of operations in the event of employee unavailability or loss;
  6. (6) the relationship between indicators of 'people risk' (such as overtime, sickness, and employee turnover levels) and exposure to operational losses; and
  7. (7) the relevance of all the above to employees of a third party supplier who are involved in performing an outsourcing arrangement. As necessary, a firm should review and consider the adequacy of the staffing arrangements and policies of a service provider.

Employee responsibilities

SYSC 13.6.3

See Notes

handbook-guidance

A firm should ensure that all employees are capable of performing, and aware of, their operational risk management responsibilities, including by establishing and maintaining:

  1. (1) appropriate segregation of employees' duties and appropriate supervision of employees in the performance of their responsibilities (see SYSC 3.2.5 G);
  2. (2) appropriate recruitment and subsequent processes to review the fitness and propriety of employees (see SYSC 3.2.13 G and SYSC 3.2.14 G);
  3. (3) clear policy statements and appropriate systems and procedures manuals that are effectively communicated to employees and available for employees to refer to as required. These should cover, for example, compliance, IT security and health and safety issues;
  4. (4) training processes that enable employees to attain and maintain appropriate competence; and
  5. (5) appropriate and properly enforced disciplinary and employment termination policies and procedures.

SYSC 13.6.4

See Notes

handbook-guidance
A firm should have regard to SYSC 13.6.3 G in relation to approved persons, people occupying positions of high personal trust (for example, security administration, payment and settlement functions); and people occupying positions requiring significant technical competence (for example, derivatives trading and technical security administration). A firm should also consider the rules and guidance for approved persons in other parts of the Handbook (including APER and SUP) and the rules and guidance on senior manager responsibilities in SYSC 2.1 (Apportionment of Responsibilities).

SYSC 13.7

Processes and systems

SYSC 13.7.1

See Notes

handbook-guidance

A firm should establish and maintain appropriate systems and controls for managing operational risks that can arise from inadequacies or failures in its processes and systems (and, as appropriate, the systems and processes of third party suppliers, agents and others). In doing so a firm should have regard to:

  1. (1) the importance and complexity of processes and systems used in the end-to-end operating cycle for products and activities (for example, the level of integration of systems);
  2. (2) controls that will help it to prevent system and process failures or identify them to permit prompt rectification (including pre-approval or reconciliation processes);
  3. (3) whether the design and use of its processes and systems allow it to comply adequately with regulatory and other requirements;
  4. (4) its arrangements for the continuity of operations in the event that a significant process or system becomes unavailable or is destroyed; and
  5. (5) the importance of monitoring indicators of process or system risk (including reconciliation exceptions, compensation payments for client losses and documentation errors) and experience of operational losses and exposures.

Internal documentation

SYSC 13.7.2

See Notes

handbook-guidance
Internal documentation may enhance understanding and aid continuity of operations, so a firm should ensure the adequacy of its internal documentation of processes and systems (including how documentation is developed, maintained and distributed) in managing operational risk.

External documentation

SYSC 13.7.3

See Notes

handbook-guidance
A firm may use external documentation (including contracts, transaction statements or advertising brochures) to define or clarify terms and conditions for its products or activities, its business strategy (for example, including through press statements), or its brand. Inappropriate or inaccurate information in external documents can lead to significant operational exposure.

SYSC 13.7.4

See Notes

handbook-guidance

A firm should ensure the adequacy of its processes and systems to review external documentation prior to issue (including review by its compliance, legal and marketing departments or by appropriately qualified external advisers). In doing so, a firm should have regard to:

  1. (1) compliance with applicable regulatory and other requirements (such as COB 3 (Financial promotion));
  2. (2) the extent to which its documentation uses standard terms (that are widely recognised, and have been tested in the courts) or non-standard terms (whose meaning may not yet be settled or whose effectiveness may be uncertain);
  3. (3) the manner in which its documentation is issued; and
  4. (4) the extent to which confirmation of acceptance is required (including by customer signature or counterparty confirmation).

IT systems

SYSC 13.7.5

See Notes

handbook-guidance
IT systems include the computer systems and infrastructure required for the automation of processes, such as application and operating system software; network infrastructure; and desktop, server, and mainframe hardware. Automation may reduce a firm's exposure to some 'people risks' (including by reducing human errors or controlling access rights to enable segregation of duties), but will increase its dependency on the reliability of its IT systems.

SYSC 13.7.6

See Notes

handbook-guidance

A firm should establish and maintain appropriate systems and controls for the management of its IT system risks, having regard to:

  1. (1) its organisation and reporting structure for technology operations (including the adequacy of senior management oversight);
  2. (2) the extent to which technology requirements are addressed in its business strategy;
  3. (3) the appropriateness of its systems acquisition, development and maintenance activities (including the allocation of responsibilities between IT development and operational areas, processes for embedding security requirements into systems); and
  4. (4) the appropriateness of its activities supporting the operation of IT systems (including the allocation of responsibilities between business and technology areas).

Information security

SYSC 13.7.7

See Notes

handbook-guidance

Failures in processing information (whether physical, electronic or known by employees but not recorded) or of the security of the systems that maintain it can lead to significant operational losses. A firm should establish and maintain appropriate systems and controls to manage its information security risks. In doing so, a firm should have regard to:

  1. (1) confidentiality: information should be accessible only to persons or systems with appropriate authority, which may require firewalls within a system, as well as entry restrictions;
  2. (2) integrity: safeguarding the accuracy and completeness of information and its processing;
  3. (3) availability and authentication: ensuring that appropriately authorised persons or systems have access to the information when required and that their identity is verified;
  4. (4) non-repudiation and accountability: ensuring that the person or system that processed the information cannot deny their actions.

SYSC 13.7.8

See Notes

handbook-guidance
A firm should ensure the adequacy of the systems and controls used to protect the processing and security of its information, and should have regard to established security standards such as ISO17799 (Information Security Management).

Geographic location

SYSC 13.7.9

See Notes

handbook-guidance

Operating processes and systems at separate geographic locations may alter a firm's operational risk profile (including by allowing alternative sites for the continuity of operations). A firm should understand the effect of any differences in processes and systems at each of its locations, particularly if they are in different countries, having regard to:

  1. (1) the business operating environment of each country (for example, the likelihood and impact of political disruptions or cultural differences on the provision of services);
  2. (2) relevant local regulatory and other requirements regarding data protection and transfer;
  3. (3) the extent to which local regulatory and other requirements may restrict its ability to meet regulatory obligations in the United Kingdom (for example, access to information by the FSA and local restrictions on internal or external audit); and
  4. (4) the timeliness of information flows to and from its headquarters and whether the level of delegated authority and the risk management structures of the overseas operation are compatible with the firm's head office arrangements.

SYSC 13.8

External events and other changes

SYSC 13.8.1

See Notes

handbook-guidance

The exposure of a firm to operational risk may increase during times of significant change to its organisation, infrastructure and business operating environment (for example, following a corporate restructure or changes in regulatory requirements). Before, during, and after expected changes, a firm should assess and monitor their effect on its risk profile, including with regard to:

  1. (1) untrained or de-motivated employees or a significant loss of employees during the period of change, or subsequently;
  2. (2) inadequate human resources or inexperienced employees carrying out routine business activities owing to the prioritisation of resources to the programme or project;
  3. (3) process or system instability and poor management information due to failures in integration or increased demand; and
  4. (4) inadequate or inappropriate processes following business re-engineering.

SYSC 13.8.2

See Notes

handbook-guidance

A firm should establish and maintain appropriate systems and controls for the management of the risks involved in expected changes, such as by ensuring:

  1. (1) the adequacy of its organisation and reporting structure for managing the change (including the adequacy of senior management oversight);
  2. (2) the adequacy of the management processes and systems for managing the change (including planning, approval, implementation and review processes); and
  3. (3) the adequacy of its strategy for communicating changes in systems and controls to its employees.

Unexpected changes and business continuity management

SYSC 13.8.3

See Notes

handbook-guidance
SYSC 3.2.19 G provides high level guidance on business continuity. This section provides additional guidance on managing business continuity in the context of operational risk.

SYSC 13.8.4

See Notes

handbook-guidance
The high level requirement for appropriate systems and controls at SYSC 3.1.1 R applies at all times, including when a business continuity plan is invoked. However, the FSA recognises that, in an emergency, a firm may be unable to comply with a particular rule and the conditions for relief are outlined in GEN 1.3 (Emergency).

SYSC 13.8.5

See Notes

handbook-guidance

A firm should consider the likelihood and impact of a disruption to the continuity of its operations from unexpected events. This should include assessing the disruptions to which it is particularly susceptible (and the likely timescale of those disruptions) including through:

  1. (1) loss or failure of internal and external resources (such as people, systems and other assets);
  2. (2) the loss or corruption of its information; and
  3. (3) external events (such as vandalism, war and "acts of God").

SYSC 13.8.6

See Notes

handbook-guidance
A firm should implement appropriate arrangements to maintain the continuity of its operations. A firm should act to reduce both the likelihood of a disruption (including by succession planning, systems resilience and dual processing); and the impact of a disruption (including by contingency arrangements and insurance).

SYSC 13.8.7

See Notes

handbook-guidance

A firm should document its strategy for maintaining continuity of its operations, and its plans for communicating and regularly testing the adequacy and effectiveness of this strategy. A firm should establish:

  1. (1) formal business continuity plans that outline arrangements to reduce the impact of a short, medium or long-term disruption, including:
    1. (a) resource requirements such as people, systems and other assets, and arrangements for obtaining these resources;
    2. (b) the recovery priorities for the firm's operations; and
    3. (c) communication arrangements for internal and external concerned parties (including the FSA, clients and the press);
  2. (2) escalation and invocation plans that outline the processes for implementing the business continuity plans, together with relevant contact information;
  3. (3) processes to validate the integrity of information affected by the disruption;
  4. (4) processes to review and update (1) to (3) following changes to the firm's operations or risk profile (including changes identified through testing).

SYSC 13.8.8

See Notes

handbook-guidance
The use of an alternative site for recovery of operations is common practice in business continuity management. A firm that uses an alternative site should assess the appropriateness of the site, particularly for location, speed of recovery and adequacy of resources. Where a site is shared, a firm should evaluate the risk of multiple calls on shared resources and adjust its plans accordingly.

SYSC 13.9

Outsourcing

SYSC 13.9.1

See Notes

handbook-guidance
As SYSC 3.2.4 G explains, a firm cannot contract out its regulatory obligations and should take reasonable care to supervise the discharge of outsourced functions. This section provides additional guidance on managing outsourcing arrangements (and will be relevant, to some extent, to other forms of third party dependency) in relation to operational risk. Outsourcing may affect a firm's exposure to operational risk through significant changes to, and reduced control over, people, processes and systems used in outsourced activities.

SYSC 13.9.2

See Notes

handbook-guidance
Firms should take particular care to manage material outsourcing arrangements and, as SUP 15.3.8 G (1)(e) explains, a firm should notify the FSA when it intends to enter into a material outsourcing arrangement.

SYSC 13.9.3

See Notes

handbook-guidance
A firm should not assume that because a service provider is either a regulated firm or an intra-group entity an outsourcing arrangement with that provider will, in itself, necessarily imply a reduction in operational risk.

SYSC 13.9.4

See Notes

handbook-guidance

Before entering into, or significantly changing, an outsourcing arrangement, a firm should:

  1. (1) analyse how the arrangement will fit with its organisation and reporting structure; business strategy; overall risk profile; and ability to meet its regulatory obligations;
  2. (2) consider whether the agreements establishing the arrangement will allow it to monitor and control its operational risk exposure relating to the outsourcing;
  3. (3) conduct appropriate due diligence of the service provider's financial stability and expertise;
  4. (4) consider how it will ensure a smooth transition of its operations from its current arrangements to a new or changed outsourcing arrangement (including what will happen on the termination of the contract); and
  5. (5) consider any concentration risk implications such as the business continuity implications that may arise if a single service provider is used by several firms.

SYSC 13.9.5

See Notes

handbook-guidance

In negotiating its contract with a service provider, a firm should have regard to:

  1. (1) reporting or notification requirements it may wish to impose on the service provider;
  2. (2) whether sufficient access will be available to its internal auditors, external auditors or actuaries (see section 341 of the Act) and to the FSA (see SUP 2.3.5 R (Access to premises) and SUP 2.3.7 R (Suppliers under material outsourcing arrangements);
  3. (3) information ownership rights, confidentiality agreements and Chinese walls to protect client and other information (including arrangements at the termination of the contract);
  4. (4) the adequacy of any guarantees and indemnities;
  5. (5) the extent to which the service provider must comply with the firm's policies and procedures (covering, for example, information security);
  6. (6) the extent to which a service provider will provide business continuity for outsourced operations, and whether exclusive access to its resources is agreed;
  7. (7) the need for continued availability of software following difficulty at a third party supplier;
  8. (8) the processes for making changes to the outsourcing arrangement (for example, changes in processing volumes, activities and other contractual terms) and the conditions under which the firm or service provider can choose to change or terminate the outsourcing arrangement, such as where there is:
    1. (a) a change of ownership or control (including insolvency or receivership) of the service provider or firm; or
    2. (b) significant change in the business operations (including sub-contracting) of the service provider or firm; or
    3. (c) inadequate provision of services that may lead to the firm being unable to meet its regulatory obligations.

SYSC 13.9.6

See Notes

handbook-guidance

In implementing a relationship management framework, and drafting the service level agreement with the service provider, a firm should have regard to:

  1. (1) the identification of qualitative and quantitative performance targets to assess the adequacy of service provision, to both the firm and its clients, where appropriate;
  2. (2) the evaluation of performance through service delivery reports and periodic self certification or independent review by internal or external auditors; and
  3. (3) remedial action and escalation processes for dealing with inadequate performance.

SYSC 13.9.7

See Notes

handbook-guidance
In some circumstances, a firm may find it beneficial to use externally validated reports commissioned by the service provider, to seek comfort as to the adequacy and effectiveness of its systems and controls. The use of such reports does not absolve the firm of responsibility to maintain other oversight. In addition, the firm should not normally have to forfeit its right to access, for itself or its agents, to the service provider's premises.

SYSC 13.9.8

See Notes

handbook-guidance
A firm should ensure that it has appropriate contingency arrangements to allow business continuity in the event of a significant loss of services from the service provider. Particular issues to consider include a significant loss of resources at, or financial failure of, the service provider, and unexpected termination of the outsourcing arrangement.

SYSC 13.10

Insurance

SYSC 13.10.1

See Notes

handbook-guidance
Whilst a firm may take out insurance with the aim of reducing the monetary impact of operational risk events, non-monetary impacts may remain (including impact on the firm's reputation). A firm should not assume that insurance alone can replace robust systems and controls.

SYSC 13.10.2

See Notes

handbook-guidance

When considering utilising insurance, a firm should consider:

  1. (1) the time taken for the insurer to pay claims (including the potential time taken in disputing cover) and the firm's funding of operations whilst awaiting payment of claims;
  2. (2) the financial strength of the insurer, which may determine its ability to pay claims, particularly where large or numerous small claims are made at the same time; and
  3. (3) the effect of any limiting conditions and exclusion clauses that may restrict cover to a small number of specific operational losses and may exclude larger or hard to quantify indirect losses (such as lost business or reputational costs).

SYSC 14

Prudential risk management and associated systems and controls

SYSC 14.1

Application

SYSC 14.1.1

See Notes

handbook-rule

This section applies to an insurer unless it is:

SYSC 14.1.2

See Notes

handbook-rule

This section applies to:

only in respect of the activities of the firm carried on from a branch in the United Kingdom.

Purpose

SYSC 14.1.3

See Notes

handbook-guidance
This section sets out some rules and guidance on the establishment and maintenance of systems and controls for the management of a firm's prudential risks. A firm's prudential risks are those that can reduce the adequacy of its financial resources, and as a result may adversely affect confidence in the financial system or prejudice consumers. Some key prudential risks are credit, market, liquidity, operational, insurance and group risk.

SYSC 14.1.4

See Notes

handbook-guidance
The purpose of this section is to serve the FSA's regulatory objectives of consumer protection and market confidence In particular, this section aims to reduce the risk that a firm may pose a threat to these regulatory objectives, either because it is not prudently managed, or because it has inadequate systems to permit appropriate senior management oversight and control of its business.

SYSC 14.1.5

See Notes

handbook-guidance
Both adequate financial resources and adequate systems and controls are necessary for the effective management of prudential risks. A firm may hold financial resources to help alleviate the financial consequences of minor weaknesses in its systems and controls (to reflect possible impairments in the accuracy or timing of its identification, measurement, monitoring and control of certain risks, for example). However, financial resources cannot adequately compensate for significant weaknesses in a firm's systems and controls that could fundamentally undermine its ability to control its affairs effectively.

How to interpret this section

SYSC 14.1.6

See Notes

handbook-guidance
This section is designed to amplify Principle 3 (Management and control) which requires that a firm take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems. This section is also designed to be complementary to SYSC 2, SYSC 3 and SYSC 13 in that it contains some additional rules and guidance on senior management arrangements and associated systems and controls for firms that could have a significant impact on the FSA's objectives in a prudential context.

SYSC 14.1.7

See Notes

handbook-guidance
In addition to supporting PRIN and SYSC 2, SYSC 3 and SYSC 13, this section lays the foundations for the more specific rules and guidance on the management of credit, market, liquidity, operational, insurance and group risks that are in SYSC 11, SYSC 12, SYSC 15, SYSC 16 and INSPRU 5.1. Many of the elements raised here in general terms are expanded upon in these sections.

SYSC 14.1.8

See Notes

handbook-guidance

Appropriate systems and controls for the management of prudential risk will vary from firm to firm. Therefore, most of the material in this section is guidance. In interpreting this guidance, a firm should have regard to its own particular circumstances. Following from SYSC 3.1.2 G, this should include considering the nature, scale and complexity of its business, which may be influenced by factors such as:

  1. (1) the diversity of its operations, including geographical diversity;
  2. (2) the volume and size of its transactions; and
  3. (3) the degree of risk associated with each area of its operation.

SYSC 14.1.9

See Notes

handbook-guidance
The guidance contained within this section is not designed to be exhaustive. When establishing and maintaining its systems and controls a firm should have regard not only to other parts of the Handbook, but also to material that is issued by other industry or regulatory bodies.

The role of systems and controls in a prudential context

SYSC 14.1.10

See Notes

handbook-guidance
In a prudential context, a firm's systems and controls should provide its senior management with an adequate means of managing the firm. As such, they should be designed and maintained to ensure that senior management is able to make and implement integrated business planning and risk management decisions on the basis of accurate information about the risks that the firm faces and the financial resources that it has.

The prudential responsibilities of senior management and the apportionment of those responsibilities

SYSC 14.1.11

See Notes

handbook-guidance

Ultimate responsibility for the management of prudential risks rests with a firm's governing body and relevant senior managers, and in particular with those individuals that undertake the firm's governing functions and the apportionment and oversight function. In particular, these responsibilities should include:

  1. (1) overseeing the establishment of an appropriate business plan and risk management strategy;
  2. (2) overseeing the development of appropriate systems for the management of prudential risks;
  3. (3) establishing adequate internal controls; and
  4. (4) ensuring that the firm maintains adequate financial resources.

The delegation of responsibilities within the firm

SYSC 14.1.12

See Notes

handbook-guidance
Although authority for the management of a firm's prudential risks is likely to be delegated, to some degree, to individuals at all levels of the organisation, overall responsibility for this activity should not be delegated from its governing body and relevant senior managers.

SYSC 14.1.13

See Notes

handbook-guidance
Where delegation does occur, a firm should ensure that appropriate systems and controls are in place to allow its governing body and relevant senior managers to participate in and control its prudential risk management activities. The governing body and relevant senior managers should approve and periodically review these systems and controls to ensure that delegated duties are being performed correctly.

Firms subject to risk management on a group basis

SYSC 14.1.14

See Notes

handbook-guidance

Some firms organise the management of their prudential risks on a stand-alone basis. In some cases, however, the management of a firm's prudential risks may be entirely or largely subsumed within a whole group or sub-group basis.

  1. (1) The latter arrangement may still comply with the FSA's prudential policyon systems and controls if the firm's governing body formally delegates the functions that are to be carried out in this way to the persons or bodies that are to carry them out. Before doing so, however, the firm's governing body should have explicitly considered the arrangement and decided that it is appropriate and that it enables the firm to meet the FSA's prudential policy on systems and controls. The firm should notify the FSA if the management of its prudential risks is to be carried out in this way.
  2. (2) Where the management of a firm's prudential risks is largely, but not entirely, subsumed within a whole group or sub-group basis, the firm should ensure that any prudential issues that are specific to the firm are:
    1. (a) identified and adequately covered by those to whom it has delegated certain prudential risk management tasks; or
    2. (b) dealt with by the firm itself.

SYSC 14.1.15

See Notes

handbook-guidance
Any delegation of the management of prudential risks to another part of a firm's group does not relieve it of responsibility for complying with the FSA's prudential policy on systems and controls. A firm cannot absolve itself of such a responsibility by claiming that any breach of the FSA's prudential policy on systems and controls is effected by the actions of a third party firm to whom the firm has delegated tasks. The risk management arrangements are still those of the firm, even though personnel elsewhere in the firm's group are carrying out these functions on its behalf. Thus any references in GENPRU, INSPRU or SYSC to what a firm, its personnel and its management should and should not do still apply, and do not need any adjustment to cover the situation in which risk management functions are carried out on a group-wide basis.

SYSC 14.1.16

See Notes

handbook-guidance
Where it is stated in GENPRU, INSPRU or SYSC that a particular task in relation to a firm's systems and controls should be carried out by a firm's governing body this task should not be delegated to another part of its group. Furthermore, even where the management of a firm's prudential risks is delegated as described in SYSC 14.1.14 G, responsibility for its effectiveness and for ensuring that it remains appropriate remains with the firm's governing body. The firm's governing body should therefore keep any delegation under review to ensure that delegated duties are being performed correctly.

Business planning and risk management

SYSC 14.1.17

See Notes

handbook-guidance
Business planning and risk management are closely related activities. In particular, the forward-looking assessment of a firm's financial resources needs, and of how business plans may affect the risks that it faces, are important elements of prudential risk management. A firm's business planning should also involve the creation of specific risk policies which will normally outline a firm's strategy and objectives for, as appropriate, the management of its market, credit, liquidity, operational, insurance and group risks and the processes that it intends to adopt to achieve these objectives. SYSC 14.1.18 R to SYSC 14.1.25 G set out some rules and guidance relating to business planning and risk management in a prudential context (see also SYSC 3.2.17 G, which states that a firm should plan its business appropriately).

SYSC 14.1.18

See Notes

handbook-rule
A firm must take reasonable steps to ensure the establishment and maintenance of a business plan and appropriate systems for the management of prudential risk.

SYSC 14.1.19

See Notes

handbook-rule

When establishing and maintaining its business plan and prudential risk management systems, a firm must document:

  1. (1) an explanation of its overall business strategy, including its business objectives;
  2. (2) a description of, as applicable, its policies towards market, credit (including provisioning), liquidity, operational, insurance and group risk (that is, its risk policies), including its appetite or tolerance for these risks and how it identifies, measures or assesses, monitors and controls these risks;
  3. (3) the systems and controls that it intends to use in order to ensure that its business plan and risk policies are implemented correctly;
  4. (4) a description of how the firm accounts for assets and liabilities, including the circumstances under which items are netted, included or excluded from the firm's balance sheet and the methods and assumptions for valuation;
  5. (5) appropriate financial projections and the results of its stress testing and scenario analysis (see GENPRU 1.2 (Adequacy of financial resources)); and
  6. (6) details of, and the justification for, the methods and assumptions used in financial projections and stress testing and scenario analysis.

SYSC 14.1.20

See Notes

handbook-guidance

The prudential risk management systems referred to in SYSC 14.1.18 R and SYSC 14.1.19 R are the means by which a firm is able to:

  1. (1) identify the prudential risks that are inherent in its business plan, operating environment and objectives, and determine its appetite or tolerance for these risks;
  2. (2) measure or assess its prudential risks;
  3. (3) monitor its prudential risks; and
  4. (4) control or mitigate its prudential risks.

INSPRU 4.1.63 E is an evidential provision relating to SYSC 14.1.18 R concerning risk management systems in respect of liquidity risk arising from substantial exposures in foreign currencies.

SYSC 14.1.21

See Notes

handbook-guidance
A firm should consider the relationship between its business plan, risk policies and the financial resources that it has available (or can readily access), recognising that decisions made in respect of one element may have consequences for the other two.

SYSC 14.1.22

See Notes

handbook-guidance

A firm's business plan and risk management systems should be:

  1. (1) effectively communicated so that all employees and contractors understand and adhere to the procedures related to their own responsibilities;
  2. (2) regularly updated and revised, in particular when there is significant new information or when actual practice or performance differs materially from the documented strategy, policy or systems.

SYSC 14.1.23

See Notes

handbook-guidance
The level of detail in a firm's business plan and its approach to the design of its risk management systems should be appropriate to the scale and complexity of its operations, and the nature and degree of risk that it faces.

SYSC 14.1.24

See Notes

handbook-guidance
A firm's business plan and systems documentation should be accessible to the firm's management in line with their respective responsibilities and, upon request, to the FSA .

SYSC 14.1.25

See Notes

handbook-guidance
SYSC 14.1.19R (5) requires a firm to document its financial projections and the results of its stress testing and scenario analysis. Such financial projections, stress tests and scenario analysis should be used by a firm'sgoverning body and relevant senior managers when deciding upon how much risk the firm is willing to accept in pursuit of its business objectives and how risk limits should be set. Further rules and guidance on stress testing and scenario analysis are outlined in GENPRU 1.2 (Adequacy of financial resources) and SYSC 11 (Liquidity risk systems and controls).

Internal controls: introduction

SYSC 14.1.26

See Notes

handbook-guidance
Internal controls should provide a firm with reasonable assurance that it will not be hindered in achieving its objectives, or in the orderly and legitimate conduct of its business, by events that may reasonably be foreseen. More specifically in a prudential context, internal controls should be concerned with ensuring that a firm's business plan and risk management systems are operating as expected and are being implemented as intended. The following rule (SYSC 14.1.27 R) reflects the importance of internal controls in a prudential context.

SYSC 14.1.27

See Notes

handbook-rule
A firm must take reasonable steps to establish and maintain adequate internal controls.

SYSC 14.1.28

See Notes

handbook-guidance

The precise role and organisation of internal controls can vary from firm to firm. However, a firm's internal controls should normally be concerned with assisting its governing body and relevant senior managers to participate in ensuring that it meets the following objectives:

  1. (1) safeguarding both the assets of the firm and its customers, as well as identifying and managing liabilities;
  2. (2) maintaining the efficiency and effectiveness of its operations;
  3. (3) ensuring the reliability and completeness of all accounting, financial and management information; and
  4. (4) ensuring compliance with its internal policies and procedures as well as all applicable laws and regulations.

SYSC 14.1.29

See Notes

handbook-guidance

When determining the adequacy of its internal controls, a firm should consider both the potential risks that might hinder the achievement of the objectives listed in SYSC 14.1.28 G, and the extent to which it needs to control these risks. More specifically, this should normally include consideration of:

  1. (1) the appropriateness of its reporting and communication lines (see SYSC 3.2.2 G);
  2. (2) how the delegation or contracting of functions or activities to employees, appointed representatives or other third parties (for example outsourcing) is to be monitored and controlled (see SYSC 3.2.3 G to SYSC 3.2.4 G, SYSC 14.1.12 G to SYSC 14.1.16 G and SYSC 14.1.33 G; additional guidance on the management of outsourcing arrangements is also provided in SYSC 13.9);
  3. (3) the risk that a firm's employees or contractors might accidentally or deliberately breach a firm's policies and procedures (see SYSC 13.6.3 G);
  4. (4) the need for adequate segregation of duties (see SYSC 3.2.5 G and SYSC 14.1.30 G to SYSC 14.1.33 G);
  5. (5) the establishment and control of risk management committees (see SYSC 14.1.34 G to SYSC 14.1.37 G);
  6. (6) the need for risk assessment and the establishment of a risk assessment function (see SYSC 3.2.10 G and SYSC 14.1.38 G to SYSC 14.1.41 G);
  7. (7) the need for internal audit and the establishment of an internal audit function and audit committee (see SYSC 3.2.15 G to SYSC 3.2.16 G and SYSC 14.1.42 G to SYSC 14.1.45 G).

Internal controls: segregation of duties

SYSC 14.1.30

See Notes

handbook-guidance

The effective segregation of duties is an important internal control in the prudential context. In particular, it helps to ensure that no one individual is completely free to commit a firm's assets or incur liabilities on its behalf. Segregation can also help to ensure that a firm's governing body receives objective and accurate information on financial performance, the risks faced by the firm and the adequacy of its systems. In this regard, a firm should ensure that there is adequate segregation of duties between employees involved in:

  1. (1) taking on or controlling risk (which could involve risk mitigation);
  2. (2) risk assessment (which includes the identification and analysis of risk); and
  3. (3) internal audit.

SYSC 14.1.31

See Notes

handbook-guidance

In addition, a firm should normally ensure that no single individual has unrestricted authority to do all of the following:

  1. (1) initiate a transaction;
  2. (2) bind the firm;
  3. (3) make payments; and
  4. (4) account for it.

SYSC 14.1.32

See Notes

handbook-guidance
Where a firm is unable to ensure the complete segregation of duties (for example, because it has a limited number of staff), it should ensure that there are adequate compensating controls in place (for example, frequent review of an area by relevant senior managers).

SYSC 14.1.33

See Notes

handbook-guidance

Where a firm outsources a controlled function, such as internal audit, it should take reasonable steps to ensure that every individual involved in the performance of this service is independent from the individuals who perform its external audit. This should not prevent services from being undertaken by a firm's external auditors provided that:

  1. (1) the work is carried out under the supervision and management of the firm's own internal staff; and
  2. (2) potential conflicts of interest between the provision of external audit services and the provision of controlled functions are properly managed.

Internal controls: risk management committees

SYSC 14.1.34

See Notes

handbook-guidance
In many firms, especially if there are multiple business lines, it is common for the governing body to delegate some tasks related to risk control and management to committees such as asset and liability committees (ALCO), credit risk committees and market risk committees.

SYSC 14.1.35

See Notes

handbook-guidance

Where a firm decides to create one or more risk management committee(s), adequate internal controls should be put in place to ensure that these committees are effective and that their actions are consistent with the objectives outlined in SYSC 14.1.28 G. This should normally include consideration of the following:

  1. (1) setting clear terms of reference, including membership, reporting lines and responsibilities of each committee;
  2. (2) setting limits on their authority;
  3. (3) agreeing routine reporting and non-routine reporting escalation procedures;
  4. (4) agreeing the minimum frequency of committee meetings; and
  5. (5) reviewing the performance of these risk management committees.

SYSC 14.1.36

See Notes

handbook-guidance
The decision to delegate risk management tasks, along with the terms of reference of the committees and their performance, should be reviewed periodically by the firm's governing body and revised as appropriate.

SYSC 14.1.37

See Notes

handbook-guidance

The effective use of risk management committees can help to enhance a firm's internal controls. In establishing and maintaining its risk management committees, a firm should consider:

  1. (1) their membership, which should normally include relevant senior managers (such as the head of group risk, head of legal, and the heads of market, credit, liquidity and operational risk, etc.), business line managers, risk management personnel and other appropriately skilled people, for example, actuaries, lawyers, accountants, IT specialists, etc.;
  2. (2) using these committees to:
    1. (i) inform the decisions made by a firm's governing body regarding its appetite or tolerance for risk taking;
    2. (ii) highlight risk management issues that may require attention by the governing body;
    3. (iii) consider risk at the firm-wide level and, within delegated limits, to determine the allocation of risk limits and financial resources across business lines; and
    4. (iv) consider how exposures may be unwound, hedged, or otherwise mitigated, as appropriate.

Internal controls: risk assessment

SYSC 14.1.38

See Notes

handbook-guidance

Risk assessment is the process through which a firm identifies and analyses (using both qualitative and quantitative methodologies) the risks that it faces. A firm's risk assessment activities should normally include consideration of:

  1. (1) its total exposure to risk at the firm-wide level (that is, its exposure across business lines and risk categories);
  2. (2) capital allocation and the need to calculate risk weighted returns for different business lines;
  3. (3) the potential correlations that can exist between the risks in different business lines; this should also include looking for risks to which a firm's business plan is particularly sensitive, such as interest rate risk, or multiple dealings with the same counterparty;
  4. (4) the use of stress tests and scenario analysis;
  5. (5) whether there are risks inherent in the firm's business that are not being addressed adequately;
  6. (6) the risk adjusted return that the firm is achieving; and
  7. (7) the adequacy and timeliness of management information on market, credit, insurance, liquidity, operational and group risks from the business lines, including risk limit utilisation.

SYSC 14.1.39

See Notes

handbook-guidance
In accordance with SYSC 3.2.10 G a firm should consider whether it needs to set up a separate risk assessment function (or functions) that is responsible for assessing the risks that the firm faces and advising its governing body and senior managers on them.

SYSC 14.1.40

See Notes

handbook-guidance
Where a firm does decide that it needs a separate risk assessment function, the employees or contractors that carry out this function should not normally be involved in risk taking activities such as business line management (see SYSC 14.1.30 G to SYSC 14.1.33 G on the segregation of duties).

SYSC 14.1.41

See Notes

handbook-guidance
A summary of the results of the analysis undertaken by a firm's risk assessment function (including, where necessary, an explanation of any assumptions that were adopted) should normally be reported to relevant senior managers as well as to the firm's governing body.

Internal audit

SYSC 14.1.42

See Notes

handbook-guidance

A firm should ensure that it has appropriate mechanisms in place to assess and monitor the appropriateness and effectiveness of its systems and controls. This should normally include consideration of:

  1. (1) adherence to and effectiveness of, as appropriate, its market, credit, liquidity, operational, insurance, and group risk policies;
  2. (2) whether departures and variances from its documented systems and controls and risk policies have been adequately documented and appropriately reported, including whether appropriate pre-clearance authorisation has been sought for material departures and variances;
  3. (3) adherence to and effectiveness of its accounting policies, and whether accounting records are complete and accurate;
  4. (4) adherence to and effectiveness of its management reporting arrangements, including the timeliness of reporting, and whether information is comprehensive and accurate; and
  5. (5) adherence to FSA rules and regulatory prudential standards.

SYSC 14.1.43

See Notes

handbook-guidance
In accordance with SYSC 3.2.15 G and SYSC 3.2.16 G, a firm should consider whether it needs to set up a dedicated internal audit function.

SYSC 14.1.44

See Notes

handbook-guidance
Where a firm decides to set up an internal audit function, this function should provide independent assurance to its governing body, audit committee or an appropriate senior manager of the integrity and effectiveness of its systems and controls.

SYSC 14.1.45

See Notes

handbook-guidance
In forming its judgements, the person performing the internal audit function should test the practical operation of a firm's systems and controls as well as its accounting and risk policies. This should include examining the adequacy of supporting records.

Management information

SYSC 14.1.46

See Notes

handbook-guidance
Many individuals, at various levels of a firm, need management information relating to their activities. However, SYSC 14.1.47 G to SYSC 14.1.50 G concentrates on the management information that should be available to those at the highest level of a firm, that is, the firm's governing body and relevant senior managers. In so doing SYSC 14.1.47 G to SYSC 14.1.50 G amplify SYSC 3.2.11 G and SYSC 3.2.12 G (which outline the FSA's high level policy on senior management information) by providing some additional guidance on the management information that should be available in a prudential context.

SYSC 14.1.47

See Notes

handbook-guidance

The role of management information should be to help a firm's governing body and senior managers to understand risk at a firm-wide level. In so doing, it should help them to:

  1. (1) determine whether a firm is prudently managed with adequate financial resources;
  2. (2) make the decisions that fall within their ambit (for example, the high level business plans, strategy and risk tolerances of the firm); and
  3. (3) oversee the execution of tasks for which they are responsible.

SYSC 14.1.48

See Notes

handbook-guidance

A firm should consider what information needs to be made available to its governing body and senior managers. Some possible examples include:

  1. (1) firm-wide information such as the overall profitability and value of a firm and its total exposure to risk;
  2. (2) reports from committees to which the governing body has delegated risk management tasks, if applicable;
  3. (3) reports from a firm's internal audit and risk assessment functions, if applicable, including exception reports, where risk limits and policies have been breached or systems circumvented;
  4. (4) financial projections under expected and abnormal (that is, stressed) conditions;
  5. (5) reconciliation of actual profit and loss to previous financial projections and an analysis of any significant variances;
  6. (6) matters which require a decision from the governing body or senior managers, for example a significant variation to a business plan, amendments to risk limits, the creation of a new business line, etc;
  7. (7) compliance with FSA rules and regulatory prudential standards;
  8. (8) risk weighted returns; and
  9. (9) liquidity and funding requirements.

SYSC 14.1.49

See Notes

handbook-guidance

The management information that is provided to a firm's governing body and senior managers should have the following characteristics:

  1. (1) it should be timely, its frequency being determined by factors such as:
    1. (a) the volatility of the business in which the firm is engaged (that is, the speed at which its risks can change);
    2. (b) any time constraints on when action needs to be taken; and
    3. (c) the level of risk that the firm is exposed to, compared to its available financial resources and tolerance for risk;
  2. (2) it should be reliable, having regard to the fact that it may be necessary to sacrifice a degree of accuracy for timeliness; and
  3. (3) it should be presented in a manner that highlights any relevant issues on which those undertaking governing functions should focus particular attention.

SYSC 14.1.50

See Notes

handbook-guidance
The production of management and other information may require the collation of data from a variety of separate manual and automated systems. In such cases, responsibility for the integrity of the information may be spread amongst a number of operational areas. A firm should ensure that it has appropriate processes to validate the integrity of its information.

Record keeping

SYSC 14.1.51

See Notes

handbook-guidance

SYSC 3.2.20 R requires a firm to take reasonable care to make and retain adequate records. The following policy on record keeping supplements SYSC 3.2.20 R by providing some additional rules and guidance on record keeping in a prudential context. The purpose of this policy is to:

  1. (1) facilitate the prudential supervision of a firm by ensuring that adequate information is available regarding its past/current financial situation and business activities (which includes the design and implementation of systems and controls); and
  2. (2) help the FSA to satisfy itself that a firm is operating in a prudent manner and is not prejudicing the interests of its customers or market confidence

SYSC 14.1.52

See Notes

handbook-guidance
In addition to the record keeping requirements in GENPRU, INSPRU and SYSC, a firm should remember that it may be obliged, under other applicable laws or regulations, to keep similar or additional records.

SYSC 14.1.53

See Notes

handbook-rule
  1. (1) A firm must make and regularly update accounting and other records that are sufficient to enable the firm to demonstrate to the FSA:
    1. (a) that the firm is financially sound and has appropriate systems and controls;
    2. (b) the firm's financial position and exposure to risk (to a reasonable degree of accuracy); and
    3. (c) the firm's compliance with the rules in GENPRU, INSPRU and SYSC.
  2. (2) The records in (1) must be retained for a minimum of three years, or longer as appropriate.

SYSC 14.1.54

See Notes

handbook-guidance
A firm should be able to make available the records described in SYSC 14.1.53 R within a reasonable timeframe when requested to do so by the FSA .

SYSC 14.1.55

See Notes

handbook-guidance
The FSA recognises that not all records are specific to a particular point in time. As such, while it may be appropriate to update some records on a daily or continuous basis, for example expenditure and details of certain transactions, it may not be appropriate to update other records as regularly as this, for example those relating to its business plan and risk policies. A firm should decide how regularly it should update particular records.

SYSC 14.1.56

See Notes

handbook-guidance
A firm should decide which records it needs to hold, noting that compliance with SYSC 14.1.53 R does not require it to hold records on every single aspect of its activities. Some specific guidance on the types of records that a firm should hold is set out in each of the risk specific sections on systems and controls (see SYSC 11, SYSC 12, SYSC 14.1.65 G, SYSC 15 to SYSC 17 and INSPRU 5.1).

SYSC 14.1.57

See Notes

handbook-guidance
In deciding which records to hold, a firm should also take into account that failure to keep adequate records could make it harder for it to satisfy the FSA that it is compliant with the rules in GENPRU, INSPRU or SYSC, and to defend any enforcement action taken against it.

SYSC 14.1.58

See Notes

handbook-guidance
A firm should keep the records required in GENPRU, INSPRU and SYSC in an appropriate format and language (in terms of format this could include holding them on paper or in electronic or some other form). However, whatever format or language a firm chooses, SYSC 3.2.20 R requires that records be capable of being reproduced on paper and in English (except where they relate to business carried on from an establishment situated in a country where English is not an official language).

SYSC 14.1.59

See Notes

handbook-guidance
In accordance with SYSC 3.2.20 R, a firm should retain the records that it needs to comply with SYSC 14.1.53 R for as long as they are relevant for the purposes for which they were made.

SYSC 14.1.60

See Notes

handbook-rule

A firm must keep the records required in SYSC 14.1.53 R in the United Kingdom, except where:

  1. (1) they relate to business carried on from an establishment in a country or territory that is outside the United Kingdom; and
  2. (2) they are kept in that country or territory.

SYSC 14.1.61

See Notes

handbook-rule
When a firm keeps the records required in SYSC 14.1.53 R outside the United Kingdom, it must periodically send an adequate summary of those records to the United Kingdom.

SYSC 14.1.62

See Notes

handbook-guidance
Where a firm outsources the storage of some or all of its records to a third party service provider, it should ensure that these records are readily accessible and can be reproduced within a reasonable time period. The firm should also ensure that these records are stored in compliance with the rules and guidance on record keeping in GENPRU, INSPRU or SYSC. Additional guidance on the management of outsourcing agreements is provided in SYSC 13.

SYSC 14.1.63

See Notes

handbook-guidance
A firm may rely on records that have been produced by a third party (for example, another group company or an external agent, such as an outsource service provider). However where the firm does so it should ensure that these records are readily accessible and can be reproduced within a reasonable time period. The firm should also ensure that these records comply with the rules and guidance on record keeping in GENPRU, INSPRU or SYSC.

SYSC 14.1.64

See Notes

handbook-guidance
In accordance with SYSC 3.2.21 G, a firm should have adequate systems and controls for maintaining the security of its records so that they are reasonably safeguarded against loss, unauthorised access, alteration or destruction.

Operational risk

SYSC 14.1.65

See Notes

handbook-guidance

As well as covering other types of risk, the rules and guidance set out in this chapter deal with a firm's approach to operational risk. In particular:

  1. (1) SYSC 14.1.18 R requires a firm to take reasonable steps to ensure that the risk management systems put in place to identify, assess, monitor and control operational risk are adequate for that purpose;
  2. (2) SYSC 14.1.19R (2) requires a firm to document its policy for operational risk, including its risk appetite and how it identifies, assesses, monitors and controls that risk; and
  3. (3) SYSC 14.1.27 R requires a firm to take reasonable steps to establish and maintain adequate internal controls to enable it to assess and monitor the effectiveness and implementation of its business plan and prudential risk management systems.

SYSC 15

Credit risk management systems and controls

SYSC 15.1

Application

SYSC 15.1.1

See Notes

handbook-guidance

SYSC 15.1 applies to an insurer unless it is:

SYSC 15.1.2

See Notes

handbook-guidance

SYSC 15.1 applies to:

only in respect of the activities of the firm carried on from a branch in the United Kingdom.

Purpose

SYSC 15.1.3

See Notes

handbook-guidance
This section provides guidance on how to interpret SYSC 14 insofar as it relates to the management of credit risk.

SYSC 15.1.4

See Notes

handbook-guidance
Credit risk is incurred whenever a firm is exposed to loss if another party fails to perform its financial obligations to the firm, including failing to perform them in a timely manner. It arises from both on and off balance sheet items. For contracts for traded financial instruments, for example the purchase and sale of securities or over the counter derivatives, risks may arise if the firm's counterparty does not honour its side of the contract. This constitutes counterparty risk, which can be considered a subset of credit risk. Another risk is issuer risk, which could potentially result in a firm losing the full price of a market instrument since default by the issuer could result in the value of its bonds or stocks falling to nil. In insurance firms, credit risk can arise from premium debtors, where cover under contracts of insurance may either commence before premiums become due or continue after their non-payment. Credit risk can also arise if a reinsurer fails to fulfil its financial obligation to repay a firm upon submission of a claim.

SYSC 15.1.5

See Notes

handbook-guidance

Credit risk concerns the FSA in a prudential context because inadequate systems and controls for credit risk management can create a threat to the regulatory objectives of market confidence and consumer protection by:

  1. (1) the erosion of a firm's capital due to excessive credit losses thereby threatening its viability as a going concern;
  2. (2) an inability of a firm to meet its own obligations to depositors, policyholders or other market counterparties due to its capital erosion.

SYSC 15.1.6

See Notes

handbook-guidance
Appropriate systems and controls for the management of credit risk will vary with the scale, nature and complexity of the firm's activities. Therefore the material in this section is guidance. A firm should assess the appropriateness of any particular item of guidance in the light of the scale, nature and complexity of its activities as well as its obligation as set out in Principle 3 to organise and control its affairs responsibly and effectively.

Requirements

SYSC 15.1.7

See Notes

handbook-guidance

High level requirements for prudential systems and controls, including those for credit risk, are set out in SYSC 14. In particular:

  1. (1) SYSC 14.1.19R (2) requires a firm to document its policy for credit risk, including its risk appetite and how it identifies, measures, monitors and controls that risk;
  2. (2) SYSC 14.1.19R (2) requires a firm to document its provisioning policy. Documentation should describe the systems and controls that it intends to use to ensure that the policy is correctly implemented;
  3. (3) SYSC 14.1.18 R requires it to establish and maintain risk management systems to identify, measure, monitor and control credit risk (in accordance with its credit risk policy), and to take reasonable steps to ensure that its systems are adequate for that purpose; or
  4. (4) in line with SYSC 14.1.11 G, the ultimate responsibility for the management of credit risk should rest with a firm's governing body. Where delegation of authority occurs the governing body and relevant senior managers should approve and periodically review systems and controls to ensure that delegated duties are being performed correctly.

Credit risk policy

SYSC 15.1.8

See Notes

handbook-guidance

SYSC 14.1.18 R requires a firm to establish, maintain and document a business plan and risk policies. They should provide a clear indication of the amount and nature of credit risk that the firm wishes to incur. In particular, they should cover for credit risk:

  1. (1) how, with particular reference to its activities, the firm defines and measures credit risk;
  2. (2) the firm's business aims in incurring credit risk including:
    1. (a) identifying the types and sources of credit risk to which the firm wishes to be exposed (and the limits on that exposure) and those to which the firm wishes not to be exposed (and how that is to be achieved, for example how exposure is to be avoided or mitigated);
    2. (b) specifying the level of diversification required by the firm and the firm's tolerance for risk concentrations (and the limits on those exposures and concentrations); and
    3. (c) drawing the distinction between activities where credit risk is taken in order to achieve a return (for example, lending) and activities where credit exposure arises as a consequence of pursuing some other objective (for example, the purchase of a derivative in order to mitigate market risk);
  3. (3) how credit risk is assessed both when credit is granted or incurred and subsequently, including how the adequacy of any security and other risk mitigation techniques is assessed;
  4. (4) the detailed limit structure for credit risk which should:
    1. (a) address all key risk factors, including intra-group exposures and indirect exposures (for example, exposures held by related and subsidiary undertakings);
    2. (b) be commensurate with the volume and complexity of activity; and
    3. (c) be consistent with the firm's business aims, historical performance, and its risk appetite;
  5. (5) procedures for:
    1. (a) approving new or additional exposures to counterparties;
    2. (b) approving new products and activities that give rise to credit risk;
    3. (c) regular risk position and performance reporting;
    4. (d) limit exception reporting and approval; and
    5. (e) identifying and dealing with the problem exposures caused by the failure or downgrading of a counterparty;
  6. (6) the methods and assumptions used for the stress testing and scenario analysis required by GENPRU 1.2 (Adequacy of financial resources), including how these methods and assumptions are selected and tested; and
  7. (7) the allocation of responsibilities for implementing the credit risk policy and for monitoring adherence to, and the effectiveness of, the policy.

Counterparty assessment

SYSC 15.1.9

See Notes

handbook-guidance

The firm should make a suitable assessment of the risk profile of the counterparty. The factors to be considered will vary according to both the type of credit and the counterparty being considered. This may include:

  1. (1) the purpose of the credit, the duration of the agreement and the source of repayment;
  2. (2) an assessment and continuous monitoring of the credit quality of the counterparty;
  3. (3) an assessment of the claims payment record where the counterparty is a reinsurer;
  4. (4) an assessment of the nature and amount of risk attached to the counterparty in the context of the industrial sector or geographical region or country in which it operates, as well as the potential impact on the counterparty of political, economic and market changes; and
  5. (5) the proposed terms and conditions attached to the granting of credit, including ongoing provision of information by the counterparty, covenants attached to the facility as well as the adequacy and enforceability of collateral, security and guarantees.

SYSC 15.1.10

See Notes

handbook-guidance
It is important that sound and legally enforceable documentation is in place for each agreement that gives rise to credit risk as this may be called upon in the event of a default or dispute. A firm should therefore consider whether it is appropriate for an independent legal opinion to be sought on documentation used by the firm. Documentation should normally be in place before the firm enters into a contractual obligation or releases funds.

SYSC 15.1.11

See Notes

handbook-guidance
Where premium payments are made via brokers or intermediaries, the firm should describe how it monitors and controls its exposure to those brokers and intermediaries. In particular, the policy should identify whether the risk of default by the broker or intermediary is borne by the firm or the policyholder.

SYSC 15.1.12

See Notes

handbook-guidance
Any variation from the usual credit policy should be documented.

SYSC 15.1.13

See Notes

handbook-guidance
A firm involved in loan syndications or consortia should not rely on other parties' assessment of the credit risks involved. It will remain responsible for forming its own judgement on the appropriateness of the credit risk thereby incurred with reference to its stated credit risk policy. Similarly a firm remains responsible for assessing the credit risk associated with any insurance or reinsurance placed on its behalf by other parties.

SYSC 15.1.14

See Notes

handbook-guidance
Where a credit scoring approach or other counterparty assessment process is used, the firm should periodically assess the particular approach taken in the light of past and expected future counterparty performance and ensure that any statistical process is adjusted accordingly to ensure that the business written complies with the firm's risk appetite.

SYSC 15.1.15

See Notes

handbook-guidance
In assessing its contingent exposure to a counterparty, the firm should identify the amount which would be due from the counterparty if the value, index or other factor upon which that amount depends were to change.

Credit risk measurement

SYSC 15.1.16

See Notes

handbook-guidance
A firm should measure its credit risk using a robust and consistent methodology which should be described in its credit risk policy; the appropriate method of measurement will depend upon the nature of the credit product provided. The firm should consider whether the measurement methodologies should be backtested and the frequency of such backtesting.

SYSC 15.1.17

See Notes

handbook-guidance
A firm should also be able to measure its credit exposure across its entire portfolio or within particular categories such as exposures to particular industries, economic sectors or geographical areas.

SYSC 15.1.18

See Notes

handbook-guidance
Where a firm is a member of a group that is subject to consolidated reporting, the group should be able to monitor credit exposures on a consolidated basis. See SYSC 12, INSPRU 6.1 and GENPRU 3.

SYSC 15.1.19

See Notes

handbook-guidance
A firm should have the capability to measure its credit exposure to individual counterparties on at least a daily basis.

Risk monitoring

SYSC 15.1.20

See Notes

handbook-guidance
A firm should implement an effective system for monitoring its credit risk which should be described in its credit risk policy.

SYSC 15.1.21

See Notes

handbook-guidance
A firm should have a system of management reporting which provides clear, concise, timely and accurate credit risk reports to relevant functions within the firm. The reports could cover exceptions to the firm's credit risk policy, non-performing exposures and changes to the level of credit risk within the firm's credit portfolio. A firm should have procedures for taking appropriate action according to the information within the management reports, such as a review of counterparty limits, or of the overall credit policy.

SYSC 15.1.22

See Notes

handbook-guidance
Individual credit facilities and overall limits should be periodically reviewed in order to check their appropriateness for both the current circumstances of the counterparty and the firm's current internal and external economic environment. The frequency of review should be appropriate to the nature of the facility.

SYSC 15.1.23

See Notes

handbook-guidance
A firm should utilise appropriate stress testing and scenario analysis of credit exposures to examine the potential effects of economic or industry downturns, market events, changes in interest rates, changes in foreign exchange rates, changes in liquidity conditions and changes in levels of insurance losses where relevant.

Problem exposures

SYSC 15.1.24

See Notes

handbook-guidance
A firm should have systematic processes for the timely identification, management and monitoring of problem exposures. These processes should be described in the credit risk policy.

SYSC 15.1.25

See Notes

handbook-guidance
A firm should have adequate procedures for recovering exposures in arrears or that have had provisions made against them. A firm should allocate responsibility, either internally or externally, for its arrears management and recovery.

Provisioning

SYSC 15.1.26

See Notes

handbook-guidance
SYSC 14.1.19R (2) requires a firm to document its provisioning policy. A firm's provisioning policy can be maintained either as a separate document or as part of its credit risk policy.

SYSC 15.1.27

See Notes

handbook-guidance
At intervals that are appropriate to the nature, scale and complexity of its activities a firm should review and update its provisioning policy and associated systems.

SYSC 15.1.28

See Notes

handbook-guidance
In line with SYSC 15.1.6 G, the FSA recognises that the frequency with which a firm reviews its provisioning policy once it has been established will vary from firm to firm. However, the FSA expects a firm to review at least annually whether its policy remains appropriate for the business it undertakes and the economic environment in which it operates.

SYSC 15.1.29

See Notes

handbook-guidance
In line with SYSC 14.1.12 G, the provisioning policy referred to in SYSC 15.1.26 G must be approved by the firm's governing body or another appropriate body to which the firm's governing body has delegated this responsibility.

SYSC 15.1.30

See Notes

handbook-guidance
In line with SYSC 14.1.24 G, the FSA may request a firm to provide it with a copy of its current provisioning policy.

SYSC 15.1.31

See Notes

handbook-guidance
Provisions may be general (against the whole of a given portfolio), specific (against particular exposures identified as bad or doubtful) or both. The FSA expects contingent liabilities (for example guarantees) and anticipated losses to be recognised in accordance with accepted accounting standards at the relevant time, such as those embodied in the Financial Reporting Standards issued by the Accounting Standards Board.

Risk mitigation

SYSC 15.1.32

See Notes

handbook-guidance
A firm may choose to use various credit risk mitigation techniques including the taking of collateral, the use of letters of credit or guarantees, or counterparty netting agreements to manage and control their counterparty exposures. The use of such techniques does not obviate the need for thorough credit analysis and procedures. The reliance placed by a firm on risk mitigation should be described in the credit risk policy.

SYSC 15.1.33

See Notes

handbook-guidance
A firm should consider the legal and financial ability of a guarantor to fulfil the guarantee if called upon to do so.

SYSC 15.1.34

See Notes

handbook-guidance
A firm should monitor the validity and enforceability of its collateral arrangements.

SYSC 15.1.35

See Notes

handbook-guidance
The firm should analyse carefully the protection afforded by risk mitigants such as netting agreements or credit derivatives, to ensure that any residual risk is identified, measured, monitored and controlled.

Record keeping

SYSC 15.1.36

See Notes

handbook-guidance

Prudential records made under SYSC 14.1.53 R should include appropriate records of:

  1. (1) credit exposures, including aggregations of credit exposures, as appropriate, by:
    1. (a) groups of connected counterparties; or
    2. (b) types of counterparty as defined, for example, by the nature or geographical location of the counterparty;
  2. (2) credit decisions, including details of the decision and the facts or circumstances upon which it was made; and
  3. (3) information relevant to assessing current counterparty and risk quality.

SYSC 15.1.37

See Notes

handbook-guidance
Credit records should be retained as long as they are needed for the purpose described in SYSC 15.1.36 G (subject to the minimum three year retention period). In particular, a firm should consider whether it is appropriate to retain information regarding counterparty history such as a record of credit events as well as a record indicating how credit decisions were taken.

SYSC 16

Market risk management systems and controls

SYSC 16.1

Application

SYSC 16.1.1

See Notes

handbook-guidance

SYSC 16.1 applies to an insurer unless it is:

SYSC 16.1.2

See Notes

handbook-guidance

SYSC 16.1 applies to:

only in respect of the activities of the firm carried on from a branch in the United Kingdom.

SYSC 16.1.3

See Notes

handbook-guidance
Firms should also see GENPRU 1.2 (GENPRU 1.2.64G to GENPRU 1.2.78G) and INSPRU 3.1.

Purpose

SYSC 16.1.4

See Notes

handbook-guidance
  1. (1) The purpose of this section is to amplify SYSC 14 insofar as it relates to market risk.
  2. (2) Market risk includes equity, interest rate, foreign exchange (FX), commodity risk and interest rate risk on long-term insurance contracts. The price of financial instruments may also be influenced by other risks such as spread risk, basis risk, correlation, specific risk and volatility risk.
  3. (3) This section does not deal with the risk management of market risk in a group context. A firm that is a member of a group should also read SYSC 12 (Group risk systems and controls) which outlines the FSA's requirements for the risk management of market risk within a group.
  4. (4) Appropriate systems and controls for the management of market risk will vary with the scale, nature and complexity of the firm's activities. Therefore the material in this section is guidance. A firm should assess the appropriateness of any particular item of guidance in the light of the scale, nature and complexity of its activities as well as its obligations as set out in Principle 3 to organise and control its affairs responsibly and effectively.

Requirements

SYSC 16.1.5

See Notes

handbook-guidance

High level requirements for prudential systems and controls, including those for market risk, are set out in SYSC 14. In particular:

  1. (1) SYSC 14.1.19R (2) requires a firm to document its policy for market risk, including its risk appetite and how it identifies, measures, monitors and controls that risk;
  2. (2) SYSC 14.1.19R (4) requires a firm to document its asset and liability recognition policy. Documentation should describe the systems and controls that it intends to use to comply with the policy;
  3. (3) SYSC 14.1.19 R requires a firm to establish and maintain risk management systems to identify, measure, monitor and control market risk (in accordance with its market risk policy), and to take reasonable steps to establish systems adequate for that purpose; and
  4. (4) In line with SYSC 14.1.11 G, the ultimate responsibility for the management of market risk should rest with a firm's governing body. Where delegation of authority occurs the governing body and relevant senior managers should approve and adequately review systems and controls to check that delegated duties are being performed correctly.

Market risk policy

SYSC 16.1.6

See Notes

handbook-guidance

SYSC 14 requires a firm to establish, maintain and document a business plan and risk policies. They should provide a clear indication of the amount and nature of market risk that the firm wishes to incur. In particular, they should cover for market risk:

  1. (1) how, with particular reference to its activities, the firm defines and measures market risk;
  2. (2) the firm's business aims in incurring market risk including:
    1. (a) identifying the types and sources of market risk to which the firm wishes to be exposed (and the limits on that exposure) and those to which the firm wishes not to be exposed (and how that is to be achieved, for example how exposure is to be avoided or mitigated); and
    2. (b) specifying the level of diversification required by the firm and the firm's tolerance for risk concentrations (and the limits on those exposures and concentrations).

SYSC 16.1.7

See Notes

handbook-guidance
The market risk policy of a firm should be endorsed by the firm's governing body and implemented by its senior management, who should take adequate steps to disseminate the policy and train the relevant staff such that they can effectively implement the policy.

SYSC 16.1.8

See Notes

handbook-guidance

The market risk policy of a firm should enforce the risk management and control principles and include detailed information on:

  1. (1) the financial instruments, commodities, assets and liabilities (and mismatches between assets and liabilities) that a firm is exposed to and the limits on those exposures;
  2. (2) the firm's investment strategy as applicable between each insurance fund;
  3. (3) activities that are intended to hedge or mitigate market risk including mismatches caused by for example differences in the assets and liabilities and maturity mismatches; and
  4. (4) the methods and assumptions used for measuring linear, non-linear and geared market risk including the rationale for selection, ongoing validation and testing. Methods might include stress testing and scenario analysis, asset/liability analysis, correlation analysis, Value-at-Risk (VaR) and options such as delta, gamma, vega, rho and theta. Exposure to non-linear or geared market risk is typically through the use of derivatives.

Risk identification

SYSC 16.1.9

See Notes

handbook-guidance

A firm should have in place appropriate risk reporting systems that enable it to identify the types and amount of market risk to which it is, and potentially could be, exposed. The information that systems should capture may include but is not limited to:

  1. (1) position information which may include a description of individual financial instruments and their cash flows; and
  2. (2) market data which may consist of raw time series of market rates, index levels and prices and derived time series of benchmark yield curves, spreads, implied volatilities, historical volatilities and correlations.

Risk measurement

SYSC 16.1.10

See Notes

handbook-guidance

Having identified the market risk that the firm is exposed to on at least a daily basis, a firm should be able to measure and manage that market risk on a consistent basis. This may be achieved by:

  1. (1) regularly stress testing all or parts of the firm's portfolio to estimate potential economic losses in a range of market conditions including abnormal markets. Corporate level stress test results should be discussed regularly by risk monitors, senior management and risk takers, and should guide the firm's market risk appetite (for example, stress tests may lead to discussions on how best to unwind or hedge a position), and influence the internal capital allocation process;
  2. (2) measuring the firm's exposure to particular categories of market risk (for example, equity, interest rate, foreign exchange and commodities) as well as across its entire portfolio of market risks;
  3. (3) analysing the impact that new transactions or businesses may have on its market risk position on an on-going basis; and
  4. (4) regularly backtesting realised results against internal model generated market risk measures in order to evaluate and assess its accuracy. For example, a firm should keep a database of daily risk measures such as VaR and options such as delta, gamma, vega, rho and theta, and use these to back test predicted profit and loss against actual profit and loss for all trading desks and business units, and monitor the number of exceptions from agreed confidence bands.

Valuation

SYSC 16.1.11

See Notes

handbook-guidance
A firm should take reasonable steps to establish systems and control procedures such that the firm complies with the requirements of GENPRU 1.3 (Valuation).

SYSC 16.1.12

See Notes

handbook-guidance

The systems and controls referred to in SYSC 16.1.11 G should include the following:

  1. (1) the department responsible for the validation of the value of assets and liabilities should be independent of the business trading area, and should be adequately resourced by suitably qualified staff. The department should report to a suitably qualified individual, independent from the business trading area, who has sufficient authority to enforce the systems and controls policies and any alterations to valuation treatments where necessary;
  2. (2) all valuations should be checked and validated at appropriate intervals. Where a firm has chosen not to validate all valuations on a daily basis this should be agreed by senior management;
  3. (3) a firm should establish a review procedure to check that the valuation procedures are followed and are producing valuations in compliance with the requirements in this section. The review should be undertaken by suitably qualified staff independent of the business trading area, on a regular and ad hoc basis. In particular, this review procedure should include:
    1. (a) the quality and appropriateness of the price sources used;
    2. (b) valuation reserves held; and
    3. (c) the valuation methodology employed for each product and consistent adherence to that methodology;
  4. (4) where a valuation is disputed and the dispute cannot be resolved in a timely manner it should be reported to senior management. It should continue to be reported to senior management until agreement is reached;
  5. (5) where a firm is marking positions to market it should take reasonable steps to establish a price source that is reliable and appropriate to enable compliance with the provisions in this section on an ongoing basis;
  6. (6) a firm should document its policies and procedures relating to the entire valuation process. In particular, the following should be documented:
    1. (a) the valuation methodologies employed for all product categories;
    2. (b) details of the price sources used for each product;
    3. (c) the procedures to be followed where a valuation is disputed;
    4. (d) the valuation adjustment and reserving policies;
    5. (e) the level at which a difference between a valuation assigned to an asset or liability and the valuation used for validation purposes will be reported on an exceptions basis and investigated;
    6. (f) where a firm is using its own internal estimate to produce a valuation, it should document in detail the process followed in order to produce the valuation; and
    7. (g) the review procedures established by a firm in relation to the requirements of this section should be adequately documented and include the rationale for the policy;
  7. (7) a firm should maintain records which demonstrate:
    1. (a) senior management's approval of the policies and procedures established; and
    2. (b) management sign-off of the reviews undertaken in accordance with SYSC 16.1.11 G.

Risk monitoring

SYSC 16.1.13

See Notes

handbook-guidance
Risk monitoring is the operational process by which a firm monitors compliance with defined policies and procedures of the market risk policy. The firm's risk monitoring system should be independent of the employees who are responsible for exposing the firm to market risk.

SYSC 16.1.14

See Notes

handbook-guidance

The market risk policy of a firm may require the production of market risk reports at various levels within the firm. These reports should provide sufficiently accurate market risk data to relevant functions within the firm, and should be timely enough to allow any appropriate remedial action to be proposed and taken, for example:

  1. (1) at a firm wide level, a market risk report may include information:
    1. (a) summarising and commenting on the total market risk that a firm is exposed to and market risk concentrations by business unit, asset class and country;
    2. (b) on VaR reports against risk limits by business unit, asset class and country;
    3. (c) commenting on significant risk concentrations and market developments; and
    4. (d) on market risk in particular legal entities and geographical regions;
  2. (2) at the business unit level, a market risk report may include information summarising market risk by currency, trading desk, maturity or duration band, or by instrument type;
  3. (3) at the trading desk level, a market risk report may include detailed information summarising market risk by individual trader, instrument, position, currency, or maturity or duration band; and
  4. (4) all risk data should be readily reconcilable back to the prime books of entry with a fully documented audit trail.

SYSC 16.1.15

See Notes

handbook-guidance

Risk monitoring may also include information on:

  1. (1) the procedures for taking appropriate action in response to the information within the market risk reports;
  2. (2) ensuring that there are controls and procedures for identifying and reporting trades and positions booked at off-market rates;
  3. (3) the process for new product approvals;
  4. (4) the process for dealing with situations (authorised and unauthorised) where particular market risk exposures exceed predetermined risk limits and criteria; and
  5. (5) the periodic review of the risk monitoring process in order to check its suitability for both current market conditions and the firm's overall risk appetite.

SYSC 16.1.16

See Notes

handbook-guidance
Risk monitoring should be subject to periodic independent review by suitably qualified staff.

Risk control

SYSC 16.1.17

See Notes

handbook-guidance

Risk control is the independent monitoring, assessment and supervision of business units within the defined policies and procedures of the market risk policy. This may be achieved by:

  1. (1) setting an appropriate market risk limit structure to control the firm's exposure to market risk; for example, by setting out a detailed market risk limit structure at the corporate level, the business unit level and the trading desk level which addresses all the key market risk factors and is commensurate with the volume and complexity of activity that the firm undertakes;
  2. (2) setting limits on risks such as price or rate risk, as well as those factors arising from options such as delta, gamma, vega, rho and theta;
  3. (3) setting limits on net and gross positions, market risk concentrations, the maximum allowable loss (also called "stop-loss"), VaR, potential risks arising from stress testing and scenario analysis, gap analysis, correlation, liquidity and volatility; and
  4. (4) considering whether it is appropriate to set intermediate (early warning) thresholds that alert management when limits are being approached, triggering review and action where appropriate.

Record keeping

SYSC 16.1.18

See Notes

handbook-guidance
High level requirements for record keeping are set out in SYSC 14.

SYSC 16.1.19

See Notes

handbook-guidance

In relation to market risk, a firm should retain appropriate prudential records of:

  1. (1) off and on market trades in financial instruments;
  2. (2) the nature and amounts of off and on balance sheet exposures, including the aggregation of exposures;
  3. (3) trades in financial instruments and other assets and liabilities; and
  4. (4) methods and assumptions used in stress testing and scenario analysis and in VaR models.

SYSC 16.1.20

See Notes

handbook-guidance
A firm should keep a data history to enable it to perform back testing of methods and assumptions used for stress testing and scenario analysis and for VaR models.

SYSC 17

Insurance risk systems and controls

SYSC 17.1

Application

SYSC 17.1.1

See Notes

handbook-guidance

SYSC 17.1 applies to an insurer unless it is:

SYSC 17.1.2

See Notes

handbook-guidance

SYSC 17.1 applies to:

only in respect of the activities of the firm carried on from a branch in the United Kingdom.

Purpose

SYSC 17.1.3

See Notes

handbook-guidance
This section provides guidance on how to interpret SYSC 14 (Prudential risk management and associated systems and controls) in so far as it relates to the management of insurance risk. Insurance risk refers to fluctuations in the timing, frequency and severity of insured events, relative to the expectations of the firm at the time of underwriting. Insurance risk can also refer to fluctuations in the timing and amount of claim settlements. For general insurance business some specific examples of insurance risk include variations in the amount or frequency of claims or the unexpected occurrence of multiple claims arising from a single cause. For long-term insurance business examples include variations in the mortality and persistency rates of policyholders, or the possibility that guarantees could acquire a value that adversely affects the finances of a firm and its ability to treat its policyholders fairly consistent with the firm's obligations under Principle 6. More generally, insurance risk includes the potential for expense overruns relative to pricing or provisioning assumptions.

SYSC 17.1.4

See Notes

handbook-guidance

Insurance risk concerns the FSA in a prudential context because inadequate systems and controls for its management can create a threat to the regulatory objectives of market confidence and consumer protection. Inadequately managed insurance risk may result in:

  1. (1) the inability of a firm to meet its contractual insurance liabilities as they fall due; and
  2. (2) the inability of a firm to treat its policyholders fairly consistent with the firm's obligations under Principle 6 (for example, in relation to bonus payments).

SYSC 17.1.5

See Notes

handbook-guidance
Guidance on the application of this section to a firm that is a member of a group is provided in SYSC 12 (Group risk systems and controls).

SYSC 17.1.6

See Notes

handbook-guidance
The guidance contained within this section should be read in conjunction with the rest of SYSC.

SYSC 17.1.7

See Notes

handbook-guidance
Appropriate systems and controls for the management of insurance risk will vary with the scale, nature and complexity of a firm's activities. Therefore, the material in this section is guidance. A firm should assess the appropriateness of any particular item of guidance in the light of the scale, nature and complexity of its activities as well as its obligations, as set out in Principle 3, to organise and control its affairs responsibly and effectively.

General requirements

SYSC 17.1.8

See Notes

handbook-guidance

High level rules and guidance for prudential systems and controls for insurance risk are set out in SYSC 14. In particular:

  1. (1) SYSC 14.1.18 R requires a firm to take reasonable steps to establish and maintain a business plan and appropriate risk management systems;
  2. (2) SYSC 14.1.19R (2) requires a firm to document its policy for insurance risk, including its risk appetite and how it identifies, measures, monitors and controls that risk; and
  3. (3) SYSC 14.1.27 R requires a firm to take reasonable steps to establish and maintain adequate internal controls to enable it to assess and monitor the effectiveness and implementation of its business plan and prudential risk management systems.

Insurance risk policy

SYSC 17.1.9

See Notes

handbook-guidance

A firm's insurance risk policy should outline its objectives in carrying out insurance business, its appetite for insurance risk and its policies for identifying, measuring, monitoring and controlling insurance risk. The insurance risk policy should cover any activities that are associated with the creation or management of insurance risk. For example, underwriting, claims management and settlement, assessing technical provisions in the balance sheet, risk mitigation and risk transfer, record keeping and management reporting. Specific matters that should normally be in a firm's insurance risk policy include:

  1. (1) a statement of the firm's willingness and capacity to accept insurance risk;
  2. (2) the classes and characteristics of insurance business that the firm is prepared to accept;
  3. (3) the underwriting criteria that the firm intends to adopt, including how these can influence its rating and pricing decisions;
  4. (4) its approach to limiting significant aggregations of insurance risk, for example, by setting limits on the amount of business that can be underwritten in one region or with one policyholder;
  5. (5) where relevant, the firm's approach to pricing long-term insurance contracts, including the determination of the appropriate level of any reviewable premiums;
  6. (6) the firm's policy for identifying, monitoring and managing risk when it has delegated underwriting authority to another party (additional guidance on the management of outsourcing arrangements is provided in SYSC 13.9);
  7. (7) the firm's approach to managing its expense levels, including acquisition costs, recurring costs, and one-off costs, taking account of the margins available in both the prices for products and in the technical provisions in the balance sheet;
  8. (8) the firm's approach to the exercise of any discretion (e.g. on charges or the level of benefits payable) that is available in its long-term insurance contracts, in the context also of the legal and regulatory constraints existing on the application of this discretion;
  9. (9) the firm's approach to the inclusion of options within new long-term insurance contracts and to the possible exercise by policyholders of options on existing contracts;
  10. (10) the firm's approach to managing persistency risk;
  11. (11) the firm's approach to managing risks arising from timing differences in taxation or from changes in tax laws;
  12. (12) the firm's approach to the use of reinsurance or the use of some other means of risk transfer;
  13. (13) how the firm intends to assess the effectiveness of its risk transfer arrangements and manage the residual or transformed risks (for example, how it intends to handle disputes over contract wordings, potential payout delays and counterparty performance risks);
  14. (14) a summary of the data and information to be collected and reported on underwriting, claims and risk control (including internal accounting records), management reporting requirements and external data for risk assessment purposes;
  15. (15) the risk measurement and analysis techniques to be used for setting underwriting premiums, technical provisions in the balance sheet, and assessing capital requirements; and
  16. (16) the firm's approach to stress testing and scenario analysis, as required by GENPRU 1.2 (Adequacy of financial resources), including the methods adopted, any assumptions made and the use that is to be made of the results.

SYSC 17.1.10

See Notes

handbook-guidance
Further, more detailed, guidance is given in SYSC 17.1.11 G to SYSC 17.1.37 G on the identification, measurement, monitoring and control (including the use of reinsurance and other forms of risk transfer) of insurance risk. A firm should consider what additional material to that set out above should be included in its insurance risk policy on each of these for its various activities.

Risk identification

SYSC 17.1.11

See Notes

handbook-guidance
A firm should seek to identify the causes of fluctuations in the occurrence, amount and timing of its insurance liabilities. A firm should also seek to identify aggregations of risk that may give rise to large single or multiple claims.

SYSC 17.1.12

See Notes

handbook-guidance

The identification of insurance risk should normally include:

  1. (1) in connection with the firm's business plan:
    1. (a) processes for identifying the types of insurance risks that may be associated with a new product and for comparing the risk types that are present in different classes of business (in order to identify possible aggregations in particular insurance risks); and
    2. (b) processes for identifying business environment changes (for example landmark legal rulings) and for collecting internal and external data to test and modify business plans;
  2. (2) at the point of sale, processes for identifying the underwriting risks associated with a particular policyholder or a group of policyholders (for example, processes for identifying potential claims for mis-selling and for collecting information on the claims histories of policyholders, including whether they have made any potentially false or inaccurate claims, to identify possible adverse selection or moral hazard problems);
  3. (3) after the point of sale, processes for identifying potential and emerging claims for the purposes of claims management and claims provisioning; this could include:
    1. (a) identifying possible judicial rulings;
    2. (b) keeping up to date with developments in market practice; and
    3. (c) collecting information on industry wide initiatives and settlements.

SYSC 17.1.13

See Notes

handbook-guidance
A firm should also identify potential pricing risks, where the liabilities or costs arising from the sale of a product may not be as expected.

Risk measurement

SYSC 17.1.14

See Notes

handbook-guidance
A firm should have in place appropriate systems for collecting the data it needs to measure insurance risk. At a minimum this data should be capable of allowing a firm to evaluate the types of claims experienced, claims frequency and severity, expense levels, persistency levels and, where relevant, potential changes in the value of guarantees and options in long-term insurance contracts.

SYSC 17.1.15

See Notes

handbook-guidance

A firm should ensure that the data it collects and the measurement methodologies that it uses are sufficient to enable it to evaluate, as appropriate:

  1. (1) its exposure to insurance risk at all relevant levels, for example, by contract, policyholder, product line or insurance class;
  2. (2) its exposure to insurance risk across different geographical areas and time horizons;
  3. (3) its total, firm-wide, exposure to insurance risk and any other risks that may arise out of the contracts of insurance that it issues;
  4. (4) how changes in the volume of business (for example via changes in premium levels or the number of new contracts that are underwritten) may influence its exposure to insurance risk;
  5. (5) how changes in policy terms may influence its exposure to insurance risk; and
  6. (6) the effects of specific loss scenarios on the insurance liabilities of the firm.

SYSC 17.1.16

See Notes

handbook-guidance
A firm should hold data in a manner that allows for it to be used in a flexible way. For example, data should be sufficiently detailed and disaggregated so that contract details may be aggregated in different combinations to assess different risks.

SYSC 17.1.17

See Notes

handbook-guidance
A firm should be able to justify its choice of measurement methodologies. This justification should normally be documented.

SYSC 17.1.18

See Notes

handbook-guidance
A firm should periodically review the appropriateness of the measurement methodologies that it uses. This could, for example, include back testing (that is, by comparing actual versus expected results) and updating for changes in market practice.

SYSC 17.1.19

See Notes

handbook-guidance
A firm should ensure that it has access to the necessary skills and resources that it needs to measure insurance risk using its chosen methodology.

SYSC 17.1.20

See Notes

handbook-guidance
When measuring its insurance risks, a firm should consider how emerging experience could be used to update its underwriting process, in particular in relation to contract terms and pricing and also its assessment of the technical provisions in the balance sheet.

SYSC 17.1.21

See Notes

handbook-guidance

A firm should have the capability to measure its exposure to insurance risk on a regular basis. In deciding on the frequency of measurement, a firm should consider:

  1. (1) the time it takes to acquire and process all necessary data;
  2. (2) the speed at which exposures could change; and
  3. (3) that it may need to measure its exposure to certain types of insurance risk on a daily basis (for example, weather catastrophes).

Risk monitoring

SYSC 17.1.22

See Notes

handbook-guidance

A firm should provide regular and timely information on its insurance risks to the appropriate level of management. This could include providing reports on the following:

  1. (1) a statement of the firm's profits or losses for each class of business that it underwrites (with an associated analysis of how these have arisen for any long-term insurance contracts), including a variance analysis detailing any deviations from budget or changes in the key performance indicators that are used to assess the success of its business plan for insurance;
  2. (2) the firm's exposure to insurance risk at all relevant levels (see SYSC 17.1.15G (1)), as well as across different geographical areas and time zones (see SYSC 17.1.15G (2)), also senior management should be kept informed of the firm's total exposure to insurance risk (see SYSC 17.1.15G (3));
  3. (3) an analysis of any internal or external trends that could influence the firm's exposure to insurance risk in the future (e.g. new weather patterns, socio-demographic changes, expense overruns etc);
  4. (4) any new or emerging developments in claims experience (e.g. changes in the type of claims, average claim amounts or the number of similar claims);
  5. (5) the results of any stress testing or scenario analyses;
  6. (6) the amount and details of new business written and the amount of business that has lapsed or been cancelled;
  7. (7) identified fraudulent claims;
  8. (8) a watch list, detailing, for example, material/catastrophic events that could give rise to significant numbers of new claims or very large claims, contested claims, client complaints, legal and other developments;
  9. (9) the performance of any reinsurance/risk transfer arrangements; and
  10. (10) progress reports on matters that have previously been referred under escalation procedures (see SYSC 17.1.23 G).

SYSC 17.1.23

See Notes

handbook-guidance

A firm should establish and maintain procedures for the escalation of appropriate matters to the relevant level of management. Such matters may include:

  1. (1) any significant new exposures to insurance risk, including for example any landmark rulings in the courts;
  2. (2) a significant increase in the size or number of claims;
  3. (3) any breaches of the limits set out in SYSC 17.1.27 G and SYSC 17.1.28 G, in particular senior management should be informed where any maximum limits have been breached (see SYSC 17.1.29 G); and
  4. (4) any unauthorised deviations from its insurance risk policy (including those by a broker, appointed representative or other delegated authority).

SYSC 17.1.24

See Notes

handbook-guidance
A firm should regularly monitor the effectiveness of its analysis techniques for setting provisions for claims on general insurance contracts.

SYSC 17.1.25

See Notes

handbook-guidance
A firm should have appropriate procedures in place to allow managers to monitor the application (and hence the effect) of its reinsurance programme. This would include, for a general insurer, procedures for monitoring how its reinsurance programme affects the gross provisions that it makes for outstanding claims (including claims that are incurred but not reported).

Risk control

SYSC 17.1.26

See Notes

handbook-guidance
A firm should take appropriate action to ensure that it is not exposed to insurance risk in excess of its risk appetite. In so doing, the firm should be both reactive, responding to actual increases in exposure, and proactive, responding to potential future increases. Being proactive should involve close co-ordination between the processes of risk control, risk identification and risk measurement, as potential future exposures need to be identified and understood before effective action can be taken to control them.

SYSC 17.1.27

See Notes

handbook-guidance

A firm should consider setting limits for its exposure to insurance risk, which trigger action to be taken to control exposure. Periodically these limits should be amended in the light of new information (e.g. on the expected number or size of claims). For example, limits could be set for:

  1. (1) the firm's aggregate exposure to a single source of insurance risk or for events that may be the result of a number of different sources;
  2. (2) the firm's exposure to specific geographic areas or any other groupings of risks whose outcomes may be positively correlated;
  3. (3) the number of fraudulent claims;
  4. (4) the number of very large claims that could arise;
  5. (5) the number of unauthorised deviations from its insurance risk policy;
  6. (6) the amount of insurance risk than can be transferred to a particular reinsurer;
  7. (7) the level of expenses incurred in respect of each relevant business area; and
  8. (8) the level of persistency by product line or distribution channel.

SYSC 17.1.28

See Notes

handbook-guidance
A firm should also consider setting individual underwriting limits for all employees and agents that have the authority to underwrite insurance risk. This could include both monetary limits and limits on the types of risk that they can underwrite. Where individual underwriting limits are set, the firm should ensure that they are adhered to.

SYSC 17.1.29

See Notes

handbook-guidance
In addition to setting some 'normal' limits for insurance risk, a firm should consider setting some maximum limits, beyond which immediate, emergency action should be taken. These maximum limits could be determined through stress testing and scenario analysis.

SYSC 17.1.30

See Notes

handbook-guidance

A firm should pay close attention to the wording of its policy documentation to ensure that these wordings do not expose it to more, or higher, claims than it is expecting. In so doing, the firm should consider:

  1. (1) whether it has adequate in-house legal resources;
  2. (2) the need for periodic independent legal review of policy documentation;
  3. (3) the use of standardised documentation and referral procedures for variation of terms;
  4. (4) reviewing the documentation used by other insurance companies;
  5. (5) revising documentation for new policies in the light of past experience; and
  6. (6) the operation of law in the jurisdiction of the policyholder.

SYSC 17.1.31

See Notes

handbook-guidance
A firm should ensure that it has appropriate systems and controls for assessing the validity of claims. This could involve consideration of the evidence that will be required from policyholders and how this evidence is to be tested as well as procedures to determine when experts such as loss adjusters, lawyers or accountants should be used.

SYSC 17.1.32

See Notes

handbook-guidance
Particular care should be taken to ensure that a firm has appropriate systems and controls to deal with large claims or large groups of claims that could significantly deplete its financial resources. This should include systems to ensure that senior management (that is, the governing body and relevant senior managers) is involved in the processing of such claims from the outset.

SYSC 17.1.33

See Notes

handbook-guidance
A firm should consider how it intends to use reinsurance or some other form of insurance risk transfer agreement to help to control its exposure to insurance risk. Additional guidance on the use of reinsurance/risk transfer is provided below.

Reinsurance and other forms of risk transfer

SYSC 17.1.34

See Notes

handbook-guidance

Before entering into or significantly changing a reinsurance agreement, or any other form of insurance risk transfer agreement, a firm should:

  1. (1) analyse how the proposed reinsurance/risk transfer agreement will affect its exposure to insurance risk, its underwriting strategy and its ability to meet its regulatory obligations;
  2. (2) ensure there are adequate legal checking procedures in respect of the draft agreement;
  3. (3) conduct an appropriate due diligence of the reinsurer's financial stability (that is, solvency) and expertise; and
  4. (4) understand the nature and limits of the agreement (particular attention should be given to the wording of contracts to ensure that all of the required risks are covered, that the level of available cover is appropriate, and that all the terms, conditions and warranties are unambiguous and understood).

SYSC 17.1.35

See Notes

handbook-guidance

In managing its reinsurance agreements, or any other form of insurance risk transfer agreement, a firm should have in place appropriate systems that allow it to maintain its desired level of cover. This could involve systems for:

  1. (1) monitoring the risks that are covered (that is, the scope of cover) by these agreements and the level of available cover;
  2. (2) keeping underwriting staff informed of any changes in the scope or level of cover;
  3. (3) properly co-ordinating all reinsurance/risk transfer activities so that, in aggregate, the desired level and scope of cover is maintained;
  4. (4) ensuring that the firm does not become overly reliant on any one reinsurer or other risk transfer provider; or
  5. (5) conducting regular stress testing and scenario analysis to assess the resilience of its reinsurance and risk transfer programmes to catastrophic events that may give rise to large and or numerous claims.

SYSC 17.1.36

See Notes

handbook-guidance

In making a claim on a reinsurance contract (that is, its reinsurance recoveries) or some other risk transfer contract a firm should ensure:

  1. (1) that it is able to identify and recover any money that it is due in a timely manner; and
  2. (2) that it makes adequate financial provision for the risk that it is unable to recover any money that it expected to be due, as a result of either a dispute with or a default by the reinsurer/risk transfer provider. Additional guidance on credit risk in reinsurance/risk transfer contracts is provided in INSPRU 2.1 (Credit risk in insurance).

SYSC 17.1.37

See Notes

handbook-guidance
Where the planned level or scope of cover from a reinsurance/risk transfer contract is not obtained, a firm should consider revising its underwriting strategy.

Record keeping

SYSC 17.1.38

See Notes

handbook-guidance

The FSA's high level rules and guidance for record keeping are outlined in SYSC 3.2.20 R (Records). Additional rules and guidance in relation to the prudential context are set out in SYSC 14.1.51 G to SYSC 14.1.64 G. In complying with these rules and guidance, a firm should retain an appropriate record of its insurance risk management activities. This may, for example, include records of:

  1. (1) each new risk that is underwritten (noting that these records may be held by agents or cedants, rather than directly by the firm provided that the firm has adequate access to those records);
  2. (2) any material aggregation of exposure to risk from a single source, or of the same kind or to the same potential catastrophe or event;
  3. (3) each notified claim including the amounts notified and paid, precautionary notices and any re-opened claims;
  4. (4) policy and contractual documents and any relevant representations made to policyholders;
  5. (5) other events or circumstances relevant to determining the risks and commitments that arise out of contracts of insurance (including discretionary benefits and charges under any long-term insurance contracts);
  6. (6) the formal wordings of reinsurance contracts; and
  7. (7) any other relevant information on the