Related provisions for SYSC 3.2.1

1 - 20 of 113 items.
Results filter

Search Term(s)

Filter by Modules

Filter by Documents

Filter by Keywords

Effective Period

Similar To

To access the FCA Handbook Archive choose a date between 1 January 2001 and 31 December 2004 (From field only).

SYSC 12.1.6GRP
The purpose of this chapter is to set out how the systems and control requirements imposed by SYSC (Senior Management Arrangements, Systems and Controls) apply where a firm is part of a group. If a firm is a member of a group, it should be able to assess the potential impact of risks arising from other parts of its group as well as from its own activities.
SYSC 12.1.7GRP
This section implements Articles 73(3) (Supervision on a consolidated basis of credit institutions) and 138 (Intra-group transactions with mixed activity holding companies) of the Banking Consolidation Directiveand12 Article 9 of the Financial Groups Directive (Internal control mechanisms and risk management processes) .1212
SYSC 12.1.8RRP
A firm must:(1) have adequate, sound and appropriate risk management processes and internal control mechanisms for the purpose of assessing and managing its own exposure to group risk, including sound administrative and accounting procedures; and(2) ensure that its group has adequate, sound and appropriate risk management processes and internal control mechanisms at the level of the group, including sound administrative and accounting procedures.
SYSC 12.1.9GRP
For the purposes of SYSC 12.1.8 R, the question of whether the risk management processes and internal control mechanisms are adequate, sound and appropriate should be judged in the light of the nature, scale and complexity of the group's business and of the risks that the group bears. Unless the firm is a Solvency II firm, risk 12management processes must include the stress testing and scenario analysis required by GENPRU 1.2.42 R and GENPRU 1.2.49R (1)(b).124
SYSC 12.1.10RRP
The internal control mechanisms referred to in SYSC 12.1.8 R must include:(1) mechanisms that are adequate for the purpose of producing any data and information which would be relevant for the purpose of monitoring compliance with any prudential requirements (including any reporting requirements and any requirements relating to capital adequacy, solvency, systems and controls and large exposures):(a) to which the firm is subject with respect to its membership of a group; or(b)
SYSC 12.1.12RRP
Where this section applies with respect to a financial conglomerate, the internal control mechanisms referred to in SYSC 12.1.8R (2) or, for a Solvency II firm, the internal control system referred to in the PRA Rulebook: Solvency II firms: Conditions Governing Business, rule 3,12 must include:(1) mechanisms that are adequate to identify and measure all material risks incurred by members of the financial conglomerate and appropriately relate capital in the financial conglomerate
SYSC 12.1.13RRP
If this rule applies under SYSC 12.1.14 R to a firm, the firm must:(1) comply with SYSC 12.1.8R (2) in relation to any UK consolidation group or non-EEAsub-group of which it is a member, as well as in relation to its group; and(2) ensure that the risk management processes and internal control mechanisms at the level of any consolidation group or non-EEAsub-group of which it is a member comply with the obligations set out in the following provisions on a consolidated (or sub-consolidated)
SYSC 12.1.15RRP
In the case of a firm that:(1) is aCRRfirm; and810(2) has a mixed-activity holding company as a parent undertaking;the risk management processes and internal control mechanisms referred to in SYSC 12.1.8 R must include sound reporting and accounting procedures and other mechanisms that are adequate to identify, measure, monitor and control transactions between the firm'sparent undertakingmixed-activity holding company and any of the mixed-activity holding company'ssubsidiary
SYSC 12.1.18GRP
Assessment of the adequacy of a group's systems and controls required by this section will form part of the appropriate regulator's risk management process.
SYSC 12.1.19GRP
The nature and extent of the systems and controls necessary under SYSC 12.1.8R (1) to address group risk will vary according to the materiality of those risks to the firm and the position of the firm within the group.
SYSC 12.1.20GRP
In some cases the management of the systems and controls used to address the risks described in SYSC 12.1.8R (1) may be organised on a group-wide basis. If the firm is not carrying out those functions itself, it should delegate them to the group members that are carrying them out. However, this does not relieve the firm of responsibility for complying with its obligations under SYSC 12.1.8R (1). A firm cannot absolve itself of such a responsibility by claiming that any breach
SYSC 12.1.21GRP
SYSC 12.1.8R (1) deals with the systems and controls that a firm should have in respect of the exposure it has to the rest of the group. On the other hand, the purpose of SYSC 12.1.8R (2) and the rules in this section that amplify it is to require groups to have adequate systems and controls. However a group is not a single legal entity on which obligations can be imposed. Therefore the obligations have to be placed on individual firms. The purpose of imposing the obligations
SYSC 12.1.22GRP
If both a firm and its parent undertaking are subject to SYSC 12.1.8R (2), the appropriate regulator would not expect systems and controls to be duplicated. In this case, the firm should assess whether and to what extent it can rely on its parent's group risk systems and controls.
SYSC 3.2.4GRP
(1) The guidance relevant to delegation within the firm is also relevant to external delegation ('outsourcing'). A firm cannot contract out its regulatory obligations. So, for example, under Principle 3 a firm should take reasonable care to supervise the discharge of outsourced functions by its contractor.(2) A firm should take steps to obtain sufficient information from its contractor to enable it to assess the impact of outsourcing on its systems and controls.
SYSC 3.2.6RRP
A firm must take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that the firm might be used to further financial crime.
SYSC 3.2.6ARRP
5A firm must ensure that these systems and controls:(1) enable it to identify, assess, monitor and manage money laundering risk; and(2) are comprehensive and proportionate to the nature, scale and complexity of its activities.
SYSC 3.2.6CRRP
5A firm must carry out regular assessments of the adequacy of these systems and controls to ensure that it continues to comply with SYSC 3.2.6A R.
SYSC 3.2.6EGRP
5The FCA, when considering whether a breach of its rules on systems and controls against money laundering has occurred, will have regard to whether a firm has followed relevant provisions in the guidance for the UK financial sector issued by the Joint Money Laundering Steering Group.
SYSC 3.2.6FGRP
5In identifying its money laundering risk and in establishing the nature of these systems and controls, a firm should consider a range of factors, including:(1) its customer, product and activity profiles;(2) its distribution channels;(3) the complexity and volume of its transactions;(4) its processes and systems; and(5) its operating environment.
SYSC 3.2.6GGRP
5A firm should ensure that the systems and controls include:(1) appropriate training for its employees in relation to money laundering;(2) appropriate provision of information to its governing body and senior management, including a report at least annually by that firm'smoney laundering reporting officer (MLRO) on the operation and effectiveness of those systems and controls;(3) appropriate documentation of its risk management policies and risk profile in relation to money laundering,
SYSC 3.2.6HRRP
5A firm must allocate to a director or senior manager (who may also be the money laundering reporting officer) overall responsibility within the firm for the establishment and maintenance of effective anti-money laundering systems and controls.
SYSC 3.2.6IRRP
5A firm must:(1) appoint an individual as MLRO, with responsibility for oversight of its compliance with the FCA'srules on systems and controls against money laundering; and(2) ensure that its MLRO has a level of authority and independence within the firm and access to resources and information sufficient to enable him to carry out that responsibility.
SYSC 3.2.13GRP
A firm's systems and controls should enable it to satisfy itself of the suitability of anyone who acts for it.
SYSC 3.2.15GRP
Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to form an audit committee. An audit committee could typically examine management's process for ensuring the appropriateness and effectiveness of systems and controls, examine the arrangements made by management to ensure compliance with requirements and standards under the regulatory system, oversee the functioning of the internal audit function (if applicable - see SYSC 3.2.16 G9)
SYSC 3.2.16GRP
9(1) Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to delegate much of the task of monitoring the appropriateness and effectiveness of its systems and controls to an internal audit function. An internal audit function should have clear responsibilities and reporting lines to an audit committee or appropriate senior manager, be adequately resourced and staffed by competent individuals, be independent of the day-to-day activities
SYSC 3.2.21GRP
A firm should have appropriate systems and controls in place to fulfil the firm's regulatory and statutory obligations with respect to adequacy, access, periods of retention and security of records. The general principle is that records should be retained for as long as is relevant for the purposes for which they are made.
REC 2.5.1UKRP

Schedule to the Recognition Requirements Regulations, paragraph 3

2(1)

The [UK RIE] must ensure that the systems and controls used in the performance of its [relevant functions] are adequate, and appropriate for the scale and nature of its business.

(2)

Sub-paragraph (1) applies in particular to systems and controls concerning -

(a)

the transmission of information;

(b)

the assessment, mitigation and management of risks to the performance of the [UK RIE'srelevant functions];

(c)

the effecting and monitoring of transactions on the [UK RIE];

(ca)

the technical operation of the [UK RIE], including contingency arrangements for disruption to its facilities;

(d)

the operation of the arrangements mentioned in paragraph 4(2)(d); and

(e)

(where relevant) the safeguarding and administration of assets belonging to users of the [UK RIE's] facilities.

REC 2.5.3GRP
In assessing whether the systems and controls used by a UK recognised body in the performance of its relevant functions are adequate and appropriate for the scale and nature of its business, the FCA3 may have regard to the UK recognised body's:3(1) arrangements for managing, controlling and carrying out its relevant functions, including: (a) the distribution of duties and responsibilities among its key individuals and the departments of the UK recognised body responsible for performing
REC 2.5.4GRP
The following paragraphs set out other matters to which the FCA3 may have regard in assessing the systems and controls used for the transmission of information, risk management, the effecting and monitoring of transactions, the operation of settlement arrangements (the matters covered in paragraph 4(2)(d) of the Schedule to the Recognition Requirements Regulations) and the safeguarding and administration of assets .33
REC 2.5.6GRP
In assessing a UK recognised body's systems and controls for assessing and managing risk, the FCA3 may also have regard to the extent to which these systems and controls enable the UK recognised body to:3(1) identify all the general, operational, legal and market risks wherever they arise in its activities;(2) measure and control the different types of risk;(3) allocate responsibility for risk management to persons with appropriate knowledge and expertise; and(4) provide sufficient,
REC 2.5.8GRP
In assessing a UK RIE's systems and controls for the effecting and monitoring of transactions, and for the operation of settlement arrangements, the FCA3 may have regard to the totality of the arrangements and processes through which the UK RIE's transactions are effected, cleared,3 and settled, including:333(1) a UK RIE's arrangements under which orders are received and matched, its arrangements for trade and transaction reporting, and (if relevant) its arrangements with another
REC 2.5.9GRP
In assessing a UK recognised body's systems and controls for the safeguarding and administration of assets belonging to users of its facilities, the FCA3 may have regard to the totality of the arrangements and processes by which the UK recognised body: 3(1) records the assets held and the identity of the owners of (and other persons with relevant rights over) those assets; (2) records any instructions given in relation to those assets;(3) records the carrying out of those instructions;(4)
REC 2.5.12GRP
REC 2.5.13 G to REC 2.5.16 G set out the factors to which the FCA3 may have regard in assessing a UK recognised body's systems and controls for managing conflicts of interest.3
REC 2.5.14GRP
The FCA3 may also have regard to the systems and controls intended to ensure that confidential information is only used for proper purposes. Where relevant, recognised bodies will have to comply with section 348 (Restrictions on disclosure of confidential information by the FCA3 etc.) and regulations made under section 349 (Exemptions from section 348) of the Act.33
REC 2.5.17GRP
A UK recognised body's arrangements for internal and external audit will be an important part of its systems and controls. In assessing the adequacy of these arrangements, the FCA3 may have regard to: 3(1) the size, composition and terms of reference of any audit committee of the UK recognised body'sgoverning body;(2) the frequency and scope of external audit; (3) the provision and scope of internal audit; (4) the staffing and resources of the UK recognised body's internal audit
REC 2.5.18GRP
Information technology is likely to be a major component of the systems and controls used by any UK recognised body. In assessing the adequacy of the information technology used by a UK recognised body to perform or support its relevant functions, the FCA3 may have regard to:3(1) the organisation, management and resources of the information technology department within the UK recognised body;(2) the arrangements for controlling and documenting the design, development, implementation
REC 2.5.19GRP
The FCA3 may also have regard to the arrangements for maintaining, recording and enforcing technical and operational standards and specifications for information technology systems, including:3(1) the procedures for the evaluation and selection of information technology systems;(2) the arrangements for testing information technology systems before live operations;(3) the procedures for problem management and system change;(4) the arrangements to monitor and report system performance,
REC 2.5.20GRP
The FCA3 may have regard to the arrangements made to keep clear and complete audit trails of all uses of information technology systems and to reconcile (where appropriate) the audit trails with equivalent information held by system users and other interested parties.3
CREDS 2.2.1GRP
SYSC 4.1.1 R requires every firm, including a credit union, to have robust governance arrangements, which include a clear organisational structure with well-defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks it is or might be exposed to, and internal control mechanisms, including sound administrative and accounting procedures and effective control and safeguard arrangements for information processing
CREDS 2.2.3GRP
A small version 1 credit union will not be expected to have the same systems and controls as a large version 2 credit union.
CREDS 2.2.8RRP
A credit union must establish, maintain and implement a fully documented system of control.[Note: a transitional provision applies to this rule: see CREDS TP 1.6.]
CREDS 2.2.9GRP
Guidance on the documentation of systems of control is given in CREDS 2.2.20 G to CREDS 2.2.23 G.
CREDS 2.2.11GRP
(1) The term 'internal audit function' in CREDS 2.2.10 E refers to the generally understood concept of internal audit within a firm, in other words the function of assessing adherence to and the effectiveness of internal systems and controls, procedures and policies. The internal audit function is not a controlled function itself, but is part of the systems and controls function (CF28). (2) Guidance on internal audit is given in CREDS 2.2.40 G to CREDS 2.2.50 G.
CREDS 2.2.20GRP
CREDS 2.2.8 R requires a credit union's system of control to be fully documented. The documentation helps the committee of management to assess if systems are maintained and controls are operating effectively. It also helps those reviewing the systems to verify that the controls in place are those that have been authorised, and that they are adequate for their purpose.
CREDS 2.2.21GRP
(1) The committee of management should decide what form this documentation should take, but the committee should have in mind the following points.(a) Documents should be comprehensive: they should cover all material aspects of the operations of the credit union.(b) Documents should be integrated: separate elements of the system should be cross-referred so that the system can be viewed as a whole.(c) Documents should identify risks and the controls established to manage those
CREDS 2.2.23GRP
The documentation of IT controls should be integrated within the overall documentation of a credit union's system of control.
CREDS 2.2.25GRP
A credit union should have appropriate systems in place to fulfil its obligations with respect to adequacy, access, periods of retention, and security of records.
CREDS 2.2.31GRP
Some important compliance issues include:(1) insurance against fraud and dishonesty;(2) arrangements for the prevention, detection and reporting of money laundering;(3) establishing and maintaining a satisfactory system of control;(4) keeping proper books of account;(5) computation and application of profits;(6) investment of surplus funds;(7) capital requirements; (8) liquidity requirements;(9) limits on shares and loans;(10) maintenance of membership records;(11) submission
CREDS 2.2.42GRP
Depending upon the scale and nature of the credit union's activities, it may be appropriate for the audit committee to delegate the task of monitoring the effectiveness and appropriateness of its systems and controls to an employee or other third party.
CREDS 2.2.43GRP
The purposes of an internal audit are:(1) to ensure that the policies and procedures of the credit union are followed;(2) to provide the committee of management with a continuous appraisal of the overall effectiveness of the control systems, including proposed changes;(3) to recommend improvements where desirable or necessary;(4) to determine whether the internal controls established by the committee of management are being maintained properly and operated as laid down in the
CREDS 2.2.44GRP
The internal audit function (see CREDS 2.2.11G) should develop an audit plan, covering all aspects of the credit union's business. The audit plan should identify the scope and frequency of work to be carried out in each area. Areas identified as higher risk should be covered more frequently. However, over a set timeframe (likely to be one year) all areas should be covered. Care should be taken to avoid obvious patterns in assessing the different areas of the credit union's business,
SYSC 6.3.1RRP
A firm must ensure the policies and procedures established under SYSC 6.1.1 R include systems and controls that:1(1) enable it to identify, assess, monitor and manage money laundering risk; and(2) are comprehensive and proportionate to the nature, scale and complexity of its activities.
SYSC 6.3.3RRP
A firm must carry out a1 regular assessment of the adequacy of these systems and controls to ensure that they continue 1to comply with SYSC 6.3.1 R.11
SYSC 6.3.5GRP
The FCA, when considering whether a breach of its rules on systems and controls against money laundering has occurred, will have regard to whether a firm has followed relevant provisions in the guidance for the United Kingdom financial sector issued by the Joint Money Laundering Steering Group.1
SYSC 6.3.6GRP
In identifying its money laundering risk and in establishing the nature of these systems and controls, a firm should consider a range of factors, including:1(1) its customer, product and activity profiles;(2) its distribution channels;(3) the complexity and volume of its transactions;(4) its processes and systems; and(5) its operating environment.
SYSC 6.3.7GRP
A firm should ensure that the systems and controls include:1(1) appropriate training for its employees in relation to money laundering;(2) appropriate provision of information to its governing body and senior management, including a report at least annually by that firm'smoney laundering reporting officer (MLRO) on the operation and effectiveness of those systems and controls;(3) appropriate documentation of its risk management policies and risk profile in relation to money laundering,
SYSC 6.3.8RRP
A firm must allocate to a director or senior manager (who may also be the money laundering reporting officer) overall responsibility within the firm for the establishment and maintenance of effective anti-money laundering systems and controls.1
SYSC 6.3.9RRP
A firm (with the exception of a sole trader who has no employees)21 must:12(1) appoint an individual as MLRO, with responsibility for oversight of its compliance with the FCA'srules on systems and controls against money laundering; and(2) ensure that its MLRO has a level of authority and independence within the firm and access to resources and information sufficient to enable him to carry out that responsibility.
SYSC 13.7.1GRP
A firm should establish and maintain appropriate systems and controls for managing operational risks that can arise from inadequacies or failures in its processes and systems (and, as appropriate, the systems and processes of third party suppliers, agents and others). In doing so a firm should have regard to:(1) the importance and complexity of processes and systems used in the end-to-end operating cycle for products and activities (for example, the level of integration of systems);(2)
SYSC 13.7.2GRP
Internal documentation may enhance understanding and aid continuity of operations, so a firm should ensure the adequacy of its internal documentation of processes and systems (including how documentation is developed, maintained and distributed) in managing operational risk.
SYSC 13.7.4GRP
A firm should ensure the adequacy of its processes and systems to review external documentation prior to issue (including review by its compliance, legal and marketing departments or by appropriately qualified external advisers). In doing so, a firm should have regard to:(1) compliance with applicable regulatory and other requirements;1(2) the extent to which its documentation uses standard terms (that are widely recognised, and have been tested in the courts) or non-standard
SYSC 13.7.6GRP
A firm should establish and maintain appropriate systems and controls for the management of its IT system risks, having regard to:(1) its organisation and reporting structure for technology operations (including the adequacy of senior management oversight);(2) the extent to which technology requirements are addressed in its business strategy;(3) the appropriateness of its systems acquisition, development and maintenance activities (including the allocation of responsibilities
SYSC 13.7.7GRP
Failures in processing information (whether physical, electronic or known by employees but not recorded) or of the security of the systems that maintain it can lead to significant operational losses. A firm should establish and maintain appropriate systems and controls to manage its information security risks. In doing so, a firm should have regard to:(1) confidentiality: information should be accessible only to persons or systems with appropriate authority, which may require
SYSC 13.7.8GRP
A firm should ensure the adequacy of the systems and controls used to protect the processing and security of its information, and should have regard to established security standards such as ISO17799 (Information Security Management).
SYSC 13.7.9GRP
Operating processes and systems at separate geographic locations may alter a firm's operational risk profile (including by allowing alternative sites for the continuity of operations). A firm should understand the effect of any differences in processes and systems at each of its locations, particularly if they are in different countries, having regard to:(1) the business operating environment of each country (for example, the likelihood and impact of political disruptions or
APER 4.7.3ERP
Failing to take reasonable steps to implement (either personally or through a compliance department or other departments) adequate and appropriate systems of control to comply with the relevant requirements and standards of the regulatory system in respect of the regulated activities of the firm in question (as referred to in Statement of Principle 7)12 falls within APER 4.7.2 E. In the case of an approved person who is responsible, under SYSC 2.1.3 R (2) or SYSC 4.4.5 R (2)2,
APER 4.7.7ERP
Failing to take reasonable steps to ensure that procedures and systems of control are reviewed and, if appropriate, improved, following the identification of significant breaches (whether suspected or actual) of the relevant requirements and standards of the regulatory system relating to the regulated activities of the firm in question (as referred to in Statement of Principle 7),12 falls within APER 4.7.2 E (see APER 4.7.13 G and APER 4.7.14 G).1212
APER 4.7.8ERP
Behaviour of the type referred to in APER 4.7.7 E includes, but is not limited to:(1) unreasonably failing to implement recommendations for improvements in systems and procedures;(2) unreasonably failing to implement recommendations for improvements to systems and procedures in a timely manner.
APER 4.7.10ERP
In the case of an approved person performing a significant influence function responsible for compliance under SYSC 3.2.8 R, SYSC 6.1.4 R or SYSC 6.1.4A R2, failing to take reasonable steps to ensure that appropriate compliance systems and procedures are in place falls within APER 4.7.2A E (see APER 4.7.13 G and12APER 4.7.14 G).12
APER 4.7.11AERP
3Where the approved person is a proprietary trader under SUP 10A.9.10 R,12 failing to maintain and comply with appropriate systems and controls in relation to that activity falls within APER 4.7.2A E.121212
APER 4.7.12GRP
An approved person performing a significant influence function need not himself put in place the systems of control in his business (APER 4.7.4 E). Whether he does this depends on his role and responsibilities. He should, however, take reasonable steps to ensure that the business for which he is responsible has operating procedures and systems which include well-defined steps for complying with the detail of relevant requirements and standards of the regulatory system and for
APER 4.7.13GRP
Where the approved person performing a significant influence function becomes aware of actual or suspected problems that involve possible breaches of relevant requirements and standards of the regulatory system falling within his area of responsibility, then he should take reasonable steps to ensure that they are dealt with in a timely and appropriate manner (APER 4.7.7 E). This may involve an adequate investigation to find out what systems or procedures may have failed and why.
APER 4.7.14GRP
Where independent reviews of systems and procedures have been undertaken and result in recommendations for improvement, the approved person performing a significant influence function should ensure that, unless there are good reasons not to, any reasonable recommendations are implemented in a timely manner (APER 4.7.10 E). What is reasonable will depend on the nature of the inadequacy and the cost of the improvement. It will be reasonable for the approved person performing a significant
SYSC 5.1.2GRP
A firm's systems and controls should enable it to satisfy itself of the suitability of anyone who acts for it. This includes assessing an individual's honesty and competence. This assessment should normally be made at the point of recruitment. An individual's honesty need not normally be revisited unless something happens to make a fresh look appropriate.
SYSC 5.1.8GRP
The effective segregation of duties is an important element in the internal controls of a firm in the prudential context. In particular, it helps to ensure that no one individual is completely free to commit a firm's assets or incur liabilities on its behalf. Segregation can also help to ensure that a firm'sgoverning body receives objective and accurate information on financial performance, the risks faced by the firm and the adequacy of its systems.
SYSC 5.1.9GRP
A firm should normally ensure that no single individual has unrestricted authority to do all of the following:3(1) initiate a transaction;(2) bind the firm;(3) make payments; and(4) account for it.
SYSC 5.1.10GRP
Where a firm is unable to ensure the complete segregation of duties (for example, because it has a limited number of staff), it should ensure that there are adequate compensating controls in place (for example, frequent review of an area by relevant senior managers).3
SYSC 5.1.13RRP
The systems, internal control mechanisms and arrangements established by a firm in accordance with this chapter must take into account the nature, scale and complexity of its business and the nature and range of financial services and activities 3undertaken in the course of that business.[Note:article 5(1) final paragraph of the MiFID implementing Directiveand articles 4(1) final paragraph and 5(4) of the UCITS implementing Directive]66
SYSC 5.1.14RRP
A common platform firm and a management company6 must monitor and, on a regular basis, evaluate the adequacy and effectiveness of its systems, internal control mechanisms and arrangements established in accordance with this chapter, and take appropriate measures to address any deficiencies.[Note:article 5(5) of the MiFID implementing Directive and articles 4(5) of the UCITS implementing Directive]6
IFPRU 2.2.7RRP
A firm must have in place sound, effective and comprehensive strategies, processes and systems:(1) to assess and maintain, on an ongoing basis, the amounts, types and distribution of financial resources, own funds and internal capital that it considers adequate to cover:(a) the nature and level of the risks to which it is, or might be, exposed;(b) the risk in the overall financial adequacy rule;(c) the risk that the firm might not be able to meet the obligations in Part Three
IFPRU 2.2.12RRP
The processes, strategies and systems required by the overall Pillar 2 rule must be comprehensive and proportionate to the nature, scale and complexity of the firm's activities.[Note: article 73 second paragraph (part) of CRD]
IFPRU 2.2.13RRP
A firm must:(1) carry out regularly the assessments required by the overall Pillar 2 rule; and(2) carry out regular assessments of the processes, strategies and systems required by the overall Pillar 2 rule to ensure that they remain comprehensive and proportionate to the nature, scale and complexity of the firm's activities.[Note: article 73 second paragraph (part) of CRD]
IFPRU 2.2.15GRP
Certain risks, such as systems and controls weaknesses, may not be adequately addressed by, for example, holding additional capital and a more appropriate response would be to rectify the weakness. In such circumstances, the amount of financial resources required to address these risks might be zero. However, a firm should consider whether holding additional capital might be an appropriate response until the identified weaknesses are rectified. A firm, should, in line with IFPRU
IFPRU 2.2.16GRP
A firm should carry out assessments of the sort described in the overall Pillar 2 rule and IFPRU 2.2.13 R at least annually, or more frequently if changes in the business, strategy, nature or scale of its activities or operational environment suggest that the current level of financial resources is no longer adequate. The appropriateness of the internal process, and the degree of involvement of senior management in the process, will be taken into account by the FCA when reviewing
IFPRU 2.2.19RRP
A firm must operate through effective systems the ongoing administration and monitoring of its various credit risk-bearing portfolios and exposures, including for identifying and managing problem credits and for making adequate value adjustments and provisions.[Note: article 79(c) of CRD]
IFPRU 2.2.60RRP
Compliance with the obligations in IFPRU 2.2.59 R must enable the FCA consolidation group or the non-EEA sub-group to have arrangements, processes and mechanisms that are consistent, well integrated and ensure that data relevant to the purpose of supervision can be produced.[Note: article 109(2) of CRD]
IFPRU 2.2.87GRP
A firm should satisfy itself that the systems (including IT) of the FCA consolidation group or the non-EEA sub-group of which it is a member are sufficiently sound to support the effective management and, where applicable, the quantification of the risks that could affect the FCA consolidation group or the non-EEA sub-group, as the case may be.
REC 3.16.1GRP
The purpose of REC 3.16 is to ensure that the FCA1receives a copy of the UK recognised body's plans and arrangements for ensuring business continuity if there are major problems with its computer systems. The FCA1does not need to be notified of minor revisions to, or updating of, the documents containing a UK recognised body's business continuity plan (for example, changes to contact names or telephone numbers). 11
REC 3.16.2RRP
Where a UK recognised body changes any of its plans for action in the event of a failure of any of its information technology systems resulting in disruption to the operation of its facilities, it must immediately give the FCA1notice of that event, and a copy of the new plan. 1
REC 3.16.3RRP
Where any reserve information technology system of a UK recognised body fails in such a way that, if the main information technology system of that body were also to fail, it would be unable to operate any of its facilities during its normal hours of operation, that body must immediately give the FCA1notice of that event, and inform the FCA:111(1) what action that UK recognised body is taking to restore the operation of the reserve information technology system; and (2) when it
LR 7.2.1RRP

The Listing Principles are as follows:

Listing3 Principle 1

A listed company must take reasonable steps to establish and maintain adequate procedures, systems and controls to enable it to comply with its obligations.3

3

Listing3 Principle 2

A listed company must deal with the FCA in an open and co-operative manner.3

3

Principle 3

[deleted]3

3

Principle 4

[deleted]3

3

Principle 5

[deleted]3

3

Principle 6

[deleted]3

3
LR 7.2.2GRP
Listing Principle 13 is intended to ensure that listed companies have adequate procedures, systems and controls to enable them to comply with their obligations under the listing rules, disclosure rules, transparency rules and corporate governance rules.3 In particular, the FCA considers that listed companies should place particular emphasis on ensuring that they have adequate procedures, systems and controls in relation to, where applicable:333(1) identifying whether any obligations
LR 7.2.3GRP
Timely and accurate disclosure of information to the market is a key obligation of listed companies. For the purposes of Listing Principle 13, a listed company should have adequate systems and controls to be able to:3313(1) ensure that it can properly identify information which requires disclosure under the listing rules, disclosure rules, transparency rules or corporate governance rules3 in a timely manner; and3(2) ensure that any information identified under (1) is properly
LR 8.6.5RRP
The FCA will approve a person as a sponsor only if it is satisfied that the person :4(1) is 4an authorised person or a member of a designated professional body;(2) is 4competent to provide8sponsor services4 in accordance with LR 88; and8(3) has appropriate 4systems and controls in place to carry out its role as a sponsor in accordance with LR 884.488
LR 8.6.5BGRP
7Situations when the FCA may impose restrictions or limitations on the services a sponsor can provide include (but are not limited to) where it appears to the FCA that: (1) the employees of the person applying to be a sponsor whom it is proposed will perform sponsor services have no or limited relevant experience and expertise of providing certain types of sponsor services or of providing sponsor services to certain types of company; or(2) the person applying to be a sponsor
LR 8.6.12RRP
8A sponsor or a person applying for approval as a sponsor will not satisfy LR 8.6.5R (3) unless it has in place:(1) clear and effective reporting lines for the provision of sponsor services (including clear and effective management responsibilities);(1A) effective systems and controls which require employees with management responsibilities for the provision of sponsor services to understand and apply the requirements of LR 8; (2) effective systems and controls for the appropriate
LR 8.6.13AGRP
4A sponsor will generally be regarded as having appropriate systems and controls for identifying and managing conflicts6 if it has in place effective policies and procedures:(1) to ensure that decisions taken on managing conflicts of interest are taken by appropriately senior staff and on a timely basis;(2) to monitor whether arrangements put in place to manage conflicts are effective; and6(3) to ensure that individuals within the sponsor are appropriately trained to enable them
SYSC 14.1.27RRP
A firm must take reasonable steps to establish and maintain adequate internal controls.
SYSC 14.1.28GRP
The precise role and organisation of internal controls can vary from firm to firm. However, a firm'sinternal controls should normally be concerned with assisting its governing body and relevant senior managers to participate in ensuring that it meets the following objectives:(1) safeguarding both the assets of the firm and its customers, as well as identifying and managing liabilities;(2) maintaining the efficiency and effectiveness of its operations;(3) ensuring the reliability
SYSC 14.1.29AGRP
10When determining the adequacy of its internal controls, a firm should consider both the potential risks that might hinder the achievement of the objectives listed in SYSC 14.1.28 G, and the extent to which it needs to control these risks. More specifically, this should normally include consideration of:(1) the appropriateness of its reporting and communication lines (see SYSC 3.2.2 G);(2) how the delegation or contracting of functions or activities to employees, appointed representatives
SYSC 14.1.29BGRP
(1) 6SYSC 14.1.29G(6) does not apply to a Solvency II firm.(2) SYSC 14.1.29G(7) does not apply to a Solvency II firm, but only in relation to references to the internal audit function. It does apply to a Solvency II firm in relation to references to the internal audit committee.(3) For Solvency II firms, the PRA has made rules implementing the governance provisions of the Solvency II Directive relating to internal controls (article 46), see PRA Rulebook: Solvency II firms: Conditions
CASS 6.6.18GRP
(1) The internal system evaluation method is available to any firm, including one that is not able to use the internal custody reconciliation method because it does not meet the requirements at CASS 6.6.16R (1) and CASS 6.6.16R (2).(2) The purpose of the internal system evaluation method is to detect weaknesses in a firm's systems and controls and any recordkeeping discrepancies. However, this method is not designed to substitute a firm's other measures for ensuring compliance
CASS 6.6.19RRP
The internal system evaluation method requires a firm to:(1) establish a process that evaluates: (a) the completeness and accuracy of the firm's internal records and accounts of safe custody assets held by the firm for clients, in particular whether sufficient information is being completely and accurately recorded by the firm to enable it to:(i) comply with CASS 6.6.4 R; and(ii) readily determine the total of all the safe custody assets that the firm holds for its clients; and(b)
CASS 6.6.20GRP
The evaluation process under CASS 6.6.19R (1) should verify that the firm's systems and controls correctly identify and resolve at least the following types or causes of discrepancies:(1) items in the firm's records and accounts that might be erroneously overstating or understating the safe custody assets held by a firm (for example, 'test' entries and 'balancing' entries);(2) negative balances;(3) processing errors;(4) journal entry errors (eg, omissions and unauthorised system
CASS 6.6.31GRP
The documents under CASS 6.6.30R (1) should, for example, cover the systems and controls the firm will have in place to mitigate the risk of 'teeming and lading' in respect of all the physical safe custody assets held by the firm for clients and across all the firm's business lines.
CASS 6.6.58GRP
Firms are reminded that the auditor of the firm has to confirm in the report submitted to the FCA under SUP 3.10 (Duties of auditors: notification and report on client assets) that the firm has maintained systems adequate to enable it to comply with the custody rules.
SYSC 13.2.1GRP
SYSC 13 provides guidance on how to interpret SYSC 3.1.1 R and SYSC 3.2.6 R, which deal with the establishment and maintenance of systems and controls, in relation to the management of operational risk. Operational risk has been described by the Basel Committee on Banking Supervision as "the risk of loss, resulting from inadequate or failed internal processes, people and systems, or from external events". This chapter covers systems and controls for managing risks concerning any
SYSC 13.2.4AGRP
1Operational risk can, amongst other things, lead to unfair treatment of consumers or lead to financial crime. A firm should consider all operational risk events that may affect these matters in establishing and maintaining its systems and controls.
SYSC 7.1.2RRP
A common platform firm must establish, implement and maintain adequate risk management policies and procedures, including effective procedures for risk assessment, which identify the risks relating to the firm's activities, processes and systems, and where appropriate, set the level of risk tolerated by the firm.[Note: article 7(1)(a) of the MiFID implementing Directive, article 13(5) second paragraph of MiFID]
SYSC 7.1.3RRP
A common platform firm must adopt effective arrangements, processes and mechanisms to manage the risk relating to the firm's activities, processes and systems, in light of that level of risk tolerance.[Note: article 7(1)(b) of the MiFID implementing Directive]
SYSC 7.1.10RRP
A BIPRUfirm must operate through effective systems the ongoing administration and monitoring of its various credit risk-bearing portfolios and exposures, including for identifying and managing problem credits and for making adequate value adjustments and provisions.15
SYSC 7.1.15RRP
A BIPRU firm must implement systems to evaluate and manage the risk arising from potential changes in interest rates as they affect a BIPRUfirm's non-trading activities.15
SYSC 2.1.3RRP
A firm must appropriately allocate to one or more individuals, in accordance with SYSC 2.1.4 R, the functions of:(1) dealing with the apportionment of responsibilities under SYSC 2.1.1 R; and(2) overseeing the establishment and maintenance of systems and controls under SYSC 3.1.1 R.
SYSC 2.1.6GRP

Frequently asked questions about allocation of functions in SYSC 2.1.3 R

This table belongs to SYSC 2.1.5 G

Question

Answer

1

Does an individual to whom a function is allocated under SYSC 2.1.3 R need to be an approved person?

An individual to whom a function is allocated under SYSC 2.1.3 R will be performing the apportionment and oversight function (CF 8, see SUP 10A.7.1 R15) and an application must be made under section 59 of the Act for approval of the individual before the function is performed. There are exceptions from this inSUP 10A.115 (Approved persons - Application).

15155

2

If the allocation is to more than one individual, can they perform the functions, or aspects of the functions, separately?

If the functions are allocated to joint chief executives under SYSC 2.1.4 R, column 2, they are expected to act jointly. If the functions are allocated to an individual under SYSC 2.1.4 R, column 2, in addition to individuals under SYSC 2.1.4 R, column 3, the former may normally be expected to perform a leading role in relation to the functions that reflects his position. Otherwise, yes.

3

What is meant by "appropriately allocate" in this context?

The allocation of functions should be compatible with delivering compliance with Principle 3, SYSC 2.1.1 R and SYSC 3.1.1 R. The appropriate regulator considers that allocation to one or two individuals is likely to be appropriate for most firms.

4

If a committee of management governs a firm or group, can the functions be allocated to every member of that committee?

Yes, as long as the allocation remains appropriate (see Question 3).If the firm also has an individual as chief executive, then the functions must be allocated to that individual as well under SYSC 2.1.4 R, column 2 (see Question 7).

5

Does the definition of chief executive include the possessor of equivalent responsibilities with another title, such as a managing director or managing partner?

Yes.

6

Is it possible for a firm to have more than one individual as its chief executive?

Although unusual, some firm may wish the responsibility of a chief executive to be held jointly by more than one individual. In that case, each of them will be a chief executive and the functions must be allocated to all of them under SYSC 2.1.4 R, column 2 (see also Questions 2 and 7).

7

If a firm has an individual as chief executive, must the functions be allocated to that individual?

Normally, yes, under SYSC 2.1.4 R, column 2.

But if the firm is a body corporate and a member of a group, the functions may, instead of to the firm's chief executive, be allocated to a director or senior manager from the group responsible for the overall management of the group or of a relevant group division, so long as this is appropriate (see Question 3). Such individuals may nevertheless require approval under section 59 (see Question 1).

If the firm chooses to allocate the functions to a director or senior manager responsible for the overall management of a relevant group division, the appropriate regulator would expect that individual to be of a seniority equivalent to or greater than a chief executive of the firm for the allocation to be appropriate.

See also Question 14.

8

If a firm has a chief executive, can the functions be allocated to other individuals in addition to the chief executive?

Yes. SYSC 2.1.4 R, column 3, permits a firm to allocate the functions, additionally, to the firm's (or where applicable the group's) directors and senior managers as long as this is appropriate (see Question 3).

9

What if a firm does not have a chief executive?

Normally, the functions must be allocated to one or more individuals selected from the firm's (or where applicable the group's) directors and senior managers under SYSC 2.1.4 R, column 3.

But if the firm:

(1) is a body corporate and a member of a group; and

(2) the group has a director or senior manager responsible for the overall management of the group or of a relevant group division;

then the functions must be allocated to that individual (together, optionally, with individuals from column 3 if appropriate) under SYSC 2.1.4 R, column 2.2

10

What do you mean by "group division within which some or all of the firm's regulated activities fall"?

A "division" in this context should be interpreted by reference to geographical operations, product lines or any other method by which the group's business is divided.

If the firm's regulated activities fall within more than one division and the firm does not wish to allocate the functions to its chief executive, the allocation must, under SYSC 2.1.4 R, be to:

(1) a director or senior manager responsible for the overall management of the group; or

(2) a director or senior manager responsible for the overall management of one of those divisions;

together, optionally, with individuals from column 3 if appropriate. (See also Questions 7 and 9.)

11

How does the requirement to allocate the functions in SYSC 2.1.3R apply to an overseas firm which is not an incoming EEA firm, incoming Treaty firm or UCITS qualifier?

The firm must appropriately allocate those functions to one or more individuals, in accordance with SYSC 2.1.4 R, but:

(1) The responsibilities that must be apportioned and the systems and controls that must be overseen are those relating to activities carried on from a UK establishment with certain exceptions (see SYSC 1 Annex 1.1.7 R)6. Note that SYSC 1 Annex 1.1.10 R6 does not extend the territorial scope of SYSC 2 for an overseas firm.

(2) The chief executive of an overseas firm is the person responsible for the conduct of the firm's business within the United Kingdom (see the definition of "chief executive"). This might, for example, be the manager of the firm's UK establishment, or it might be the chief executive of the firm as a whole, if he has that responsibility.

The apportionment and oversight function applies to such a firm, unless it falls within a particular exception from the approved persons regime (see Question 1).

66

12

How does the requirement to allocate the functions in SYSC 2.1.3R apply to an incoming EEA firm or incoming Treaty firm?

SYSC 1 Annex 1.1.1R6and SYSC 1 Annex 1.1.8 R6restrict the application of SYSC 2.1.3 R for such a firm. Accordingly:

(1) Such a firm is not required to allocate the function of dealing with apportionment in SYSC 2.1.3 R (1).

(2) Such a firm is required to allocate the function of oversight in SYSC 2.1.3 R (2). However, the systems and controls that must be overseen are those relating to matters which the appropriate regulator, as Host State regulator, is entitled to regulate (there is guidance on this in SUP 13A Annex 2 G3). Those are primarily, but not exclusively, the systems and controls relating to the conduct of the firm's activities carried on from its UK branch.

(3) Such a firm need not allocate the function of oversight to its chief executive; it must allocate it to one or more directors and senior managers of the firm or the firm's group under SYSC 2.1.4 R, row (2).

(4) An incoming EEA firm which has provision only for cross border services is not required to allocate either function if it does not carry on regulated activities in the United Kingdom; for example if they fall within the overseas persons exclusions in article 72 of the Regulated Activities Order.

See also Questions 1 and 15.1

663

13

What about a firm that is a partnership or a limited liability partnership?

The appropriate regulator envisages that most if not all partners or members will be either directors or senior managers, but this will depend on the constitution of the partnership (particularly in the case of a limited partnership) or limited liability partnership. A partnership or limited liability partnership may also have a chief executive (see Question 5). A limited liability partnership is a body corporate and, if a member of a group, will fall within SYSC 2.1.4 R, row (1) or (2).

14

What if generally accepted principles of good corporate governance recommend that the chief executive should not be involved in an aspect of corporate governance?

The Note to SYSC 2.1.4 R provides that the chief executive or other executive director or senior manager need not be involved in such circumstances. For example, the UK Corporate Governance Code7 recommends that the board of a listed company should establish an audit committee of independent,10 non-executive directors to be responsible responsible (among other things) for overseeing the effectiveness10 of the audit process and the objectivity and independence of the external auditor.10 That aspect of the oversight function may therefore be allocated to the members of such a committee without involving the chief executive. Such individuals may require approval under section 59 in relation to that function (see Question 1).

7

15

What about electronic commerce activities carried on from an establishment in another EEA State with or for a person in the United Kingdom?4

4

SYSC does not apply to an incoming ECA provider acting as such.1

4
DEPP 6.2.1GRP
The FCA4 will consider the full circumstances of each case when determining whether or not to take action for a financial penalty or public censure. Set out below is a list of factors that may be relevant for this purpose. The list is not exhaustive: not all of these factors may be applicable in a particular case, and there may be other factors, not listed, that are relevant.4(1) The nature, seriousness and impact of the suspected breach, including:(a) whether the breach was deliberate
DEPP 6.2.5GRP
In some cases it may not be appropriate to take disciplinary measures against a firm for the actions of an approved person (an example might be where the firm can show that it took all reasonable steps to prevent the breach). In other cases, it may be appropriate for the FCA4 to take action against both the firm and the approved person. For example, a firm may have breached the rule requiring it to take reasonable care to establish and maintain such systems and controls as are
REC 5.2.3AGRP
1The information required pursuant to sub-sections 287(c), (d) and (e) of the Act is:(1) a programme of operations which includes the types of business the applicant proposes to undertake and the applicant's proposed organisational structure;(2) particulars of the persons who effectively direct the business and operations of the exchange; and(3) particulars of the ownership of the exchange, and in particular the identity and scale of interests of the persons who are in a position
REC 5.2.6GRP
Under section 289 of the Act (Applications: supplementary) or (for an RAP applicant) regulation 2 of the RAP regulations,3 the FCA5 may require the applicant to provide additional information, and may require the applicant to verify any information in any manner. In view of their likely importance for any application, the FCA5 will normally wish to arrange for its own inspection of an applicant's information technology systems.55
REC 5.2.14GRP

Information and supporting documentation (see REC 5.2.4 G).

(1)

Details of the applicant's constitution, structure and ownership, including its memorandum and articles of association (or similar or analogous documents ) and any agreements between the applicant, its owners or other persons relating to its constitution or governance (if not contained in the information listed in REC 5.2.3A G)1. An applicant for RAP status must provide details of the relationship between the governance arrangements in place for the UK RIE and the RAP.3

(2)

Details of all business to be conducted by the applicant, whether or not a regulated activity (if not contained in the information listed in REC 5.2.3A G)1.

(3)

Details of the facilities which the applicant plans to operate, including details of the trading platform or (for an RAP) auction platform,3 settlement arrangements, clearing facilitation services5 and custody services which it plans to supply. An applicant for RAP status must provide details on the relationship between the auction platform and any secondary market in emissions auction products4 which it operates or plans to operate.3

54

(4)

Copies of the last three annual reports and accounts and, for the current financial year, quarterly management accounts.

(5)

Details of its business plan for the first three years of operation as a UK recognised body (if not contained in the information listed in REC 5.2.3A G)1.

(6)

A full organisation chart and a list of the posts to be held by key individuals (with details of the duties and responsibilities) and the names of the persons proposed for these appointments when these names are available (if not contained in the information listed in REC 5.2.3A G)1.

(7)

Details of its auditors, bankers, solicitors and any persons providing corporate finance advice or similar services (such as reporting accountants) to the applicant.

(8)

Details of any relevant functions to be outsourced or delegated, with copies of relevant agreements.

(9)

Details of information technology systems and of arrangements for their supply, management, maintenance and upgrading, and security.

(10)

Details of all plans to minimise disruption to operation of its facilities in the event of the failure of its information technology systems.

(11)

Details of internal systems for financial control, arrangements for risk management and insurance arrangements to cover operational and other risks.

(12)

Details of its arrangements for managing any counterparty risks.

5

(13)

Details of internal arrangements to safeguard confidential or privileged information and for handling conflicts of interest.

(14)

Details of arrangements for complying with the notification rules and other requirements to supply information to the FCA5.

5

(15)

Details of the arrangements to be made for monitoring and enforcing compliance with its rules and with its clearing, settlement and default arrangements.

(16)

A summary of the legal due diligence carried out in relation to ascertaining the enforceability of its rules (including default rules) and the results and conclusions reached.

5

(17)

Details of the procedures to be followed for declaring a member in default, and for taking action after that event to close out positions, protect the interests of other members and enforce its default rules.

(18)

Details of membership selection criteria, rules and procedures, including (for an RAP) details of how the rules of the UK RIE will change in order to reflect RAP status.3

(19)

Details of arrangements for recording transactions effected by, or cleared through, its facilities.

(20)

Details of arrangements for detecting financial crime and market abuse , including arrangements for complying with money laundering law.

(21)

Details of criteria, rules and arrangements for selecting specified investments to be admitted to trading on (or cleared by) an RIE and, where relevant, details of how information regarding specified investments will be disseminated to users of its facilities.

5

(22)

Details of arrangements for cooperating with the FCA5 and other appropriate authorities, including draft memoranda of understanding or letters.

5

(23)

Details of the procedures and arrangements for making and amending rules, including arrangements for consulting on rule changes.

(24)

Details of disciplinary and appeal procedures, and of the arrangements for investigating complaints.

SYSC 3.1.1RRP
A firm must take reasonable care to establish and maintain such systems and controls as are appropriate to its business.
SYSC 3.1.2GRP
(1) The nature and extent of the systems and controls which a firm will need to maintain under SYSC 3.1.1 R will depend upon a variety of factors including:(a) the nature, scale and complexity of its business;(b) the diversity of its operations, including geographical diversity;(c) the volume and size of its transactions; and(d) the degree of risk associated with each area of its operation.(2) To enable it to comply with its obligation to maintain appropriate systems and controls,
SYSC 3.1.5GRP
SYSC 2.1.3 R (2) prescribes how a firm must allocate the function of overseeing the establishment and maintenance of systems and controls described in SYSC 3.1.1 R.