Related provisions for SYSC 3.2.6C
21 - 40 of 104 items.
Before entering into, or significantly changing, an outsourcing arrangement, a firm should:(1) analyse how the arrangement will fit with its organisation and reporting structure; business strategy; overall risk profile; and ability to meet its regulatory obligations;(2) consider whether the agreements establishing the arrangement will allow it to monitor and control its operational risk exposure relating to the outsourcing;(3) conduct appropriate due diligence of the service
In some circumstances, a firm may find it beneficial to use externally validated reports commissioned by the service provider, to seek comfort as to the adequacy and effectiveness of its systems and controls. The use of such reports does not absolve the firm of responsibility to maintain other oversight. In addition, the firm should not normally have to forfeit its right to access, for itself or its agents, to the service provider's premises.
In determining whether a matter is significant, a firm should have regard to:(1) the size of any monetary loss or potential monetary loss to itself or its customers (either in terms of a single incident or group of similar or related incidents);(2) the risk of reputational loss to the firm; and(3) whether the incident or a pattern of incidents reflects weaknesses in the firm's internal controls.
2The information referred to in ICOBS 8.4.4R (1)(b)(ii) is:(1) a description of the ways in which the firm, in its production of the register, is not materially compliant;(2) the number of policies, in relation to which, either:(a) the firm is not able to include any information in the register; and/or(b) information is included in the register but information may be incorrect or incomplete;in each case as a proportion of the total number of policies required to be included in
2In relation to the written statement referred to in ICOBS 8.4.4R (1)(b):(1) ICOBS 8.4.4R (1)(b) does not preclude the relevant director from, in addition, including in the director's statement any of the following as relevant:(a) if a firm's employers’ liability register is more than materially compliant, a statement to this effect, and/or a statement of the extent to which the director considers, to the best of his knowledge, the firm to be compliant in its production of the
2The requirement referred to in ICOBS 8.4.9R (7)(b) is that the report must include an opinion from the auditor confirming whether, in all material respects, the tracing office maintains a database which accurately and reliably stores information submitted to it by firms for the purpose of complying with relevant requirements in ICOBS 8.4 and that it has systems which can adequately keep it up to date in the light of new information provided by firms.
In determining whether the UK recognised body meets the recognition requirement in Regulation 6(3), the FCA3 may have regard to whether that body has ensured that the person who performs that function on its behalf:3(1) has sufficient resources to be able to perform the function (after allowing for any other activities);(2) has adequate systems and controls to manage that function and to report on its performance to the UK recognised body;(3) is managed by persons of sufficient
In determining whether a UK recognised body continues to satisfy the recognition requirements where it has made arrangements for any function to be performed on its behalf by any person , the FCA3 may have regard, in addition to any of the matters described in the appropriate section of this chapter, to the arrangements made to exercise control over the performance of the function, including:3(1) the contracts (and other relevant documents) between the UK recognised body and the
3(1) A firm must have robust governance arrangements, which include a clear organisational structure with well defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks it is or might be exposed to, and internal control mechanisms, including sound administrative and accounting procedures and effective control and safeguard arrangements for information processing systems.8(2) [deleted]1313[Note: article 74
A common platform firm and a management company10 must monitor and, on a regular basis, evaluate the adequacy and effectiveness of its systems, internal control mechanisms and arrangements established in accordance with SYSC 4.1.4 R to SYSC 4.1.9 R and take appropriate measures to address any deficiencies.[Note: article 5(5) of the MiFID implementing Directive and article 4(5) of the UCITS implementing Directive]10
Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to form an audit committee. An audit committee could typically examine management's process for ensuring the appropriateness and effectiveness of systems and controls, examine the arrangements made by management to ensure compliance with requirements and standards under the regulatory system, oversee the functioning of the internal audit function (if applicable) and provide an interface
The records and internal controls required by CASS 8.3.1 R must include:(1) an up-to-date list of each mandate that the firm has obtained, including a record of any conditions placed by the client or the firm's management on the use of the mandate;(2) a record of each transaction entered into under each mandate that the firm has;(3) internal controls to ensure that each transaction entered into under each mandate that the firm has is in accordance with any conditions placed by
Subject to DTR 7.2.11 R, an issuer which is required to prepare a group directors’ report within the meaning of section 415(2) of the Companies Act 2006 must include in that report a description of the main features of the group’s internal control and risk management systems in relation to the process for preparing consolidated accounts. In the event that the issuer presents its own annual report and its consolidated annual report as a single report, this information must be
The model review process may be conducted through a series of visits covering various aspects of the firm's control and IT environment. Before these visits the appropriate regulator may ask the firm to provide some information relating to its waiver request accompanied by some specified background material. The model review visits are organised on a timetable that allows a firm being visited sufficient time to arrange the visit and provide the appropriate pre-visit informatio
As part of the model review process, the following may be reviewed: organisational structure and personnel; details of the firm's market position in the relevant products; profit and risk information; valuation and reserving policies; operational controls; IT systems; model release and control procedures; risk management and control framework; risk appetite and limit structure and future developments relevant to model recognition.
(1) A firm should have a conceptually sound risk management system which is implemented with integrity and should meet the minimum standards set out in this paragraph.(2) A firm should have a risk control unit that is independent of business trading units and reports directly to senior management. The unit should be responsible for designing and implementing the firm's risk management system. It should produce and analyse daily reports on the risks run by the business and on the
Recognised bodies may receive complaints from time to time from their members and other people, both about the conduct of members and about the recognised body itself. A UK recognised body will need to have satisfactory arrangements to investigate these complaints in order to satisfy the relevant recognition requirements (see REC 2.15 and REC 2.16) or RAP recognition requirements (see REC 2A.3.2 G).1
Where the FCA2 receives a complaint about a recognised body, it will, in the first instance, seek to establish whether the complainant has approached the recognised body. Where this is not the case, the FCA2 will ask the complainant to complain to the recognised body. Where the complainant is dissatisfied with the handling of the complaint, but has not exhausted the recognised body's own internal complaints procedures (in the case of a complaint against a UK recognised body, including
A common platform firm and a management company5 must, where appropriate and proportionate in view of the nature, scale and complexity of its business and the nature and range of its financial services and activities,5 undertaken in the course of that business, establish and maintain an internal audit function which is separate and independent from the other functions and activities of the firm and which has the following responsibilities:5(1) to establish, implement and maintain
1The term 'internal audit function' in SYSC 6.2.1 R (and SYSC 4.1.11 G) refers to the generally understood concept of internal audit within a firm, that is, the function of assessing adherence to and the effectiveness of internal systems and controls, procedures and policies.The internal audit function is not a controlled function itself, but is part of the systems and controls function (CF28).42
(1) CASS
5.4 permits a firm, which
has adequate resources, systems and controls, to declare a trust on terms
which expressly authorise it, in its capacity as trustee, to make advances
of credit to the firm'sclients. The client
money trust required by CASS
5.4 extends to such debt obligations
which will arise if the firm,
as trustee, makes credit advances, to enable a client's3premium obligations
to be met before the premium is
remitted to the firm and similarly
if it allows claims
A firm may
not handle client money in accordance
with the rules in this section
unless each of the following conditions is satisfied:(1) the firm must have and maintain systems and controls
which are adequate to ensure that the firm is
able to monitor and manage its client money transactions
and any credit risk arising from the operation of the trust arrangement and,
if in accordance with CASS 5.4.2 R a firm complies
with both the rules in CASS
5.3 and CASS
5.4, such systems and
A firm should establish and maintain appropriate systems and controls for the management of the risks involved in expected changes, such as by ensuring:(1) the adequacy of its organisation and reporting structure for managing the change (including the adequacy of senior management oversight);(2) the adequacy of the management processes and systems for managing the change (including planning, approval, implementation and review processes); and(3) the adequacy of its strategy
The high level requirement for appropriate systems and controls at SYSC 3.1.1 R applies at all times, including when a business continuity plan is invoked. However, the appropriate regulator recognises that, in an emergency, a firm may be unable to comply with a particular rule and the conditions for relief are outlined in GEN 1.3 (Emergency).
(1) [deleted]88(2) In this context, the FCA will interpret the term 'appropriate88' as meaning sufficient in terms of quantity, quality and availability, and 'resources' as including all financial resources (though only in the case of firms not carrying on, or seeking to carry on, a PRA-regulated activity)8, non-financial resources and means of managing its resources; for example, capital, provisions against liabilities, holdings of or access to cash and other liquid assets, human
(1) [deleted]88(2) Relevant matters to which the FCA may have regard when assessing whether a firm will satisfy, and continue to satisfy, this threshold condition8may include but are not limited to:(a) (in relation to a firm other than a firm carrying on, or seeking to carry on, a PRA-regulated activity),8 whether there are any indications that the firm may have difficulties if the application is granted, at the time of the grant or in the future, in complying with any of the
BIPRU 7.10 sets out the minimum standards that the appropriate regulator expects firms to meet before granting a VaR model permission. The appropriate regulator will not grant a VaR model permission unless it is satisfied that the requirements of BIPRU 7.10 are met and it is satisfied about the procedures in place at a firm to calculate the model PRR. In particular the appropriate regulator will not normally grant a VaR model permission unless it is satisfied about the quality
As part of the process for dealing with an application for a VaR model permission the following may be reviewed: organisational structure and personnel; details of the firm's market position in the relevant products; revenue and risk information; valuation and reserving policies; operational controls; information technology systems; model release and control procedures; risk management and control framework; risk appetite and limit structure; future developments relevant to model
In assessing whether the VaR model is implemented with integrity as described in BIPRU 7.10.58R (Stress testing), the appropriate regulator will consider in particular the information technology systems used to run the model and associated calculations. The assessment may include:(1) feeder systems; risk aggregation systems; time series databases; the VaR model system; stress testing system; the backtesting system including profit and loss cleaning systems where appropriate; data
Under Principle 11 and SUP 15.3.1 R, a firm must notify the appropriate regulator immediately of any operational risk matter of which the appropriate regulator would reasonably expect notice. SUP 15.3.8 G provides guidance on the occurrences that this requirement covers, which include a significant failure in systems and controls and a significant operational loss.
1A firm operating an MTF must:(1) report to the FCA:(a) significant breaches of the firm's rules;(b) disorderly trading conditions; and(c) conduct that may involve market abuse; (2) supply the information required under this rule without delay to the FCA and any other authority competent for the investigation and prosecution of market abuse; and (3) provide full assistance to the FCA, and any other authority competent for the investigation and prosecution of market abuse, in
A firm should consider whether it should notify the FCA and the PRA (if it is a PRA-authorisedfirm) or the FCA (in all other cases) under Principle 11 if:(1) the firm expects or knows its auditor will qualify his report on the audited annual financial statements or add an explanatory paragraph; or (2) the firm receives a written communication from its auditor commenting on internal controls (see also SUP 15.3).
Except for operational risk, a firm that is permitted to use internal approaches for the calculation of risk weighted exposure amounts or own fund requirements must report annually to the FCA: (1) the results of the calculations of its internal approaches for its exposures or positions that are included in the benchmark portfolios; and(2) an explanation of the methodologies used to produce those calculations in (1).[Note: article 78(1) of CRD]