SYSC 4.1 General requirements
-
(1)
A firm must have robust governance arrangements, which include a clear organisational structure with well defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks it is or might be exposed to, and internal control mechanisms, including sound administrative and accounting procedures and effective control and safeguard arrangements for information processing systems.8
-
(2)
8A BIPRU firm and a third country BIPRU firm must comply with the Remuneration Code.
[Note: article 22(1) of the Banking Consolidation Directive, article 13(5) second paragraph of MiFID and article 12(1)(a) of the UCITS Directive]10
For a common platform firm, the 3 arrangements, processes and mechanisms referred to in SYSC 4.1.1 R must be comprehensive and proportionate to the nature, scale and complexity ofSYSC 4.1.7 R, SYSC 5.1.7 R ,8SYSC 7 and (for a BIPRU firm and a third country BIPRU firm)SYSC 19A.8
3[Note: article 22(2) of the Banking Consolidation Directive]
3Other firms should take account of the comprehensiveness and proportionality rule (SYSC 4.1.2 R) as if it were guidance (and as if "should" appeared in that rule instead of "must") as explained in SYSC 1 Annex 1.3.3 G5.9
10For a management company, the arrangements, processes and mechanisms referred to in SYSC 4.1.1 R must also take account of the UCITS schemes and EEA UCITS schemes managed by the management company.
[Note: article 12(1) second paragraph of the UCITS Directive]
Resources for management companies
10A management company must have, and employ effectively, the resources and procedures that are necessary for the proper performance of its business activities.
[Note: articles 12(1)(a) and 14(1)(c) of the UCITS Directive]
Mechanisms and procedures for a BIPRU firm10
A BIPRU firm must ensure that its internal control mechanisms and administrative and accounting procedures permit the verification of its compliance with rules adopted in accordance with the Capital Adequacy Directive at all times.
[Note: article 35(1) final sentence of the Capital Adequacy Directive]
A firm (with the exception of a sole trader who does not employ any person who is required to be approved under section 59 of the Act (Approval for particular arrangements))3 must, taking into account the nature, scale and complexity of the business of the firm, and the nature and range of the financial services and activities 3undertaken in the course of that business:
3 10-
(1)
(if it is a common platform firm or a management company)10 establish, implement and maintain decision-making procedures and an organisational structure which clearly and in a documented manner specifies reporting lines and allocates functions and responsibilities;
3 - (2)
establish, implement and maintain adequate internal control mechanisms designed to secure compliance with decisions and procedures at all levels of the firm;
10 -
(3)
(if it is a common platform firm) 3establish, implement and maintain effective internal reporting and communication of information at all relevant levels of the firm; and10
-
(4)
10(if it is a management company) establish, implement and maintain effective internal reporting and communication of information at all relevant levels of the management company as well as effective information flows with any third party involved.
[Note: articles 5(1) final paragraph, 5(1)(a), 5(1)(c) and 5(1)(e) of the MiFID implementing Directive and articles 4(1) final paragraph, 4(1)(a), 4(1)(c) and 4(1)(d) of the UCITS implementing Directive]10
3A firm that is not a common platform firm or a management company10 should take into account the decision-making procedures and effective internal reporting rules (SYSC 4.1.4R (1),10(3) and (4))10 as if they were guidance (and as if "should" appeared in those rules instead of "must") as explained in SYSC 1 Annex 1.3.3 G5.
A MiFID investment firm and a management company10 must establish, implement and maintain systems and procedures that are adequate to safeguard the security, integrity and confidentiality of information, taking into account the nature of the information in question.
[Note:
article 5(2) of the MiFID implementing Directive and article 4(2) of the UCITS implementing Directive]10
Business continuity
A common platform firm must take reasonable steps to ensure continuity and regularity in the performance of its regulated activities. To this end the common platform firm3 must employ appropriate and proportionate systems, resources and procedures.
[Note: article
13(4) of MiFID]
A common platform firm and a management company10 must establish, implement and maintain an adequate business continuity policy aimed at ensuring, in the case of an interruption to its systems and procedures, that any losses are limited, the preservation of essential data and functions, and the maintenance of its regulated activities, or, in the case of a management company, its collective portfolio management activities,10 or, where that is not possible, the timely recovery of such data and functions and the timely resumption of those activities.10
[Note:
article 5(3) of the MiFID implementing Directive,10 annex V paragraph 13 of the Banking Consolidation Directive and article 4(3) of the UCITS implementing Directive]10
10 103Other firms should take account of the business continuity rules (SYSC 4.1.6 R and 4.1.7 R) as if they were guidance (and as if "should" appeared in those rules instead of "must") as explained in SYSC 1 Annex 1.3.3 G5.
The matters dealt with in a business continuity policy should include:
- (1)
resource requirements such as people, systems and other assets, and arrangements for obtaining these resources;
- (2)
the recovery priorities for the firm's operations;
- (3)
communication arrangements for internal and external concerned parties (including the FSA, clients and the press);
- (4)
escalation and invocation plans that outline the processes for implementing the business continuity plans, together with relevant contact information;
- (5)
processes to validate the integrity of information affected by the disruption; and
- (6)
regular testing of the business continuity policy in an appropriate and proportionate manner in accordance with SYSC 4.1.10 R.
An operator of an electronic system in relation to lending must take reasonable steps to ensure that arrangements are in place to ensure that P2P agreements facilitated by it will continue to be managed and administered, in accordance with the contract terms, if at any time it ceases to carry on the activity of operating an electronic system in relation to lending.
Accounting policies
A common platform firm and a management company10 must establish, implement and maintain accounting policies and procedures that enable it, at the request of the FSA, to deliver in a timely manner to the FSA financial reports which reflect a true and fair view of its financial position and which comply with all applicable accounting standards and rules.
[Note:
article 5(4) of the MiFID implementing Directive and article 4(4) of the UCITS implementing Directive]10
Regular monitoring
A common platform firm and a management company10 must monitor and, on a regular basis, evaluate the adequacy and effectiveness of its systems, internal control mechanisms and arrangements established in accordance with SYSC 4.1.4 R to SYSC 4.1.9 R and take appropriate measures to address any deficiencies.
[Note:
article 5(5) of the MiFID implementing Directive and article 4(5) of the UCITS implementing Directive]10
3Other firms should take account of the regular monitoring rule (SYSC 4.1.10 R) as if it were guidance (and as if "should" appeared in that rule instead of "must") as explained in SYSC 1 Annex 1.3.3 G5, but ignoring the cross-reference to SYSC 4.1.5 R and 4.1.9 R.
Audit committee
Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to form an audit committee. An audit committee could typically examine management's process for ensuring the appropriateness and effectiveness of systems and controls, examine the arrangements made by management to ensure compliance with requirements and standards under the regulatory system, oversee the functioning of the internal audit function (if applicable) and provide an interface between management and external auditors. It should have an appropriate number of non-executive directors and it should have formal terms of reference.
Risk control: additional guidance
Apportionment of responsibilities: the role of the non-executive director
7The role undertaken by a non-executive director will vary from one firm to another. Where a non-executive director is an approved person, for example where the firm is a body corporate, his responsibility and therefore liability will be limited by the role that he undertakes.