Related provisions for SYSC 3.2.13

1 - 20 of 121 items.
Results filter

Search Term(s)

Filter by Modules

Filter by Documents

Filter by Keywords

Effective Period

Similar To

To access the FCA Handbook Archive choose a date between 1 January 2001 and 31 December 2004 (From field only).

SYSC 12.1.6GRP
The purpose of this chapter is to set out how the systems and control requirements imposed by SYSC (Senior Management Arrangements, Systems and Controls) apply where a firm is part of a group. If a firm is a member of a group, it should be able to assess the potential impact of risks arising from other parts of its group as well as from its own activities.
SYSC 12.1.7GRP
This section implements Articles 73(3) (Supervision on a consolidated basis of credit institutions) and 138 (Intra-group transactions with mixed activity holding companies) of the Banking Consolidation Directiveand12 Article 9 of the Financial Groups Directive (Internal control mechanisms and risk management processes) .1212
SYSC 12.1.8RRP
A firm must:(1) have adequate, sound and appropriate risk management processes and internal control mechanisms for the purpose of assessing and managing its own exposure to group risk, including sound administrative and accounting procedures; and(2) ensure that its group has adequate, sound and appropriate risk management processes and internal control mechanisms at the level of the group, including sound administrative and accounting procedures.
SYSC 12.1.9GRP
For the purposes of SYSC 12.1.8 R, the question of whether the risk management processes and internal control mechanisms are adequate, sound and appropriate should be judged in the light of the nature, scale and complexity of the group's business and of the risks that the group bears. Risk14 management processes must include the stress testing and scenario analysis required by the PRA Rulebook14.12124
SYSC 12.1.10RRP
The internal control mechanisms referred to in SYSC 12.1.8 R must include:(1) mechanisms that are adequate for the purpose of producing any data and information which would be relevant for the purpose of monitoring compliance with any prudential requirements (including any reporting requirements and any requirements relating to capital adequacy, solvency, systems and controls and large exposures):(a) to which the firm is subject with respect to its membership of a group; or(b)
SYSC 12.1.12RRP
Where this section applies with respect to a financial conglomerate, the internal control mechanisms referred to in SYSC 12.1.8R (2) or, for a Solvency II firm, the internal control system referred to in the PRA Rulebook: Solvency II firms: Conditions Governing Business, rule 3,12 must include:(1) mechanisms that are adequate to identify and measure all material risks incurred by members of the financial conglomerate and appropriately relate capital in the financial conglomerate
SYSC 12.1.13RRP
If this rule applies under SYSC 12.1.14 R to a firm, the firm must:(1) comply with SYSC 12.1.8R (2) in relation to any UK consolidation group or non-EEAsub-group of which it is a member, as well as in relation to its group; and(2) ensure that the risk management processes and internal control mechanisms at the level of any consolidation group or non-EEAsub-group of which it is a member comply with the obligations set out in the following provisions on a consolidated (or sub-consolidated)
SYSC 12.1.15RRP
In the case of a firm that:(1) is aCRRfirm; and810(2) has a mixed-activity holding company as a parent undertaking;the risk management processes and internal control mechanisms referred to in SYSC 12.1.8 R must include sound reporting and accounting procedures and other mechanisms that are adequate to identify, measure, monitor and control transactions between the firm'sparent undertakingmixed-activity holding company and any of the mixed-activity holding company'ssubsidiary
SYSC 12.1.18GRP
Assessment of the adequacy of a group's systems and controls required by this section will form part of the FCA’s14 risk management process.
SYSC 12.1.19GRP
The nature and extent of the systems and controls necessary under SYSC 12.1.8R (1) to address group risk will vary according to the materiality of those risks to the firm and the position of the firm within the group.
SYSC 12.1.20GRP
In some cases the management of the systems and controls used to address the risks described in SYSC 12.1.8R (1) may be organised on a group-wide basis. If the firm is not carrying out those functions itself, it should delegate them to the group members that are carrying them out. However, this does not relieve the firm of responsibility for complying with its obligations under SYSC 12.1.8R (1). A firm cannot absolve itself of such a responsibility by claiming that any breach
SYSC 12.1.21GRP
SYSC 12.1.8R (1) deals with the systems and controls that a firm should have in respect of the exposure it has to the rest of the group. On the other hand, the purpose of SYSC 12.1.8R (2) and the rules in this section that amplify it is to require groups to have adequate systems and controls. However a group is not a single legal entity on which obligations can be imposed. Therefore the obligations have to be placed on individual firms. The purpose of imposing the obligations
SYSC 12.1.22GRP
If both a firm and its parent undertaking are subject to SYSC 12.1.8R (2), the FCA14 would not expect systems and controls to be duplicated. In this case, the firm should assess whether and to what extent it can rely on its parent's group risk systems and controls.
REC 2.5.1UKRP

Schedule to the Recognition Requirements Regulations, paragraph 3

2(1)

The [UK RIE] must ensure that the systems and controls used in the performance of its [relevant functions] are adequate, and appropriate for the scale and nature of its business.

(2)

Sub-paragraph (1) applies in particular to systems and controls concerning -

(a)

the transmission of information;

(b)

the assessment, mitigation and management of risks to the performance of the [UK RIE'srelevant functions];

(c)

the effecting and monitoring of transactions on the [UK RIE];

(ca)

the technical operation of the [UK RIE], including contingency arrangements for disruption to its facilities;

(d)

the operation of the arrangements mentioned in paragraph 4(2)(d); and

(e)

(where relevant) the safeguarding and administration of assets belonging to users of the [UK RIE's] facilities.

REC 2.5.3GRP
In assessing whether the systems and controls used by a UK recognised body in the performance of its relevant functions are adequate and appropriate for the scale and nature of its business, the FCA3 may have regard to the UK recognised body's:3(1) arrangements for managing, controlling and carrying out its relevant functions, including: (a) the distribution of duties and responsibilities among its key individuals and the departments of the UK recognised body responsible for performing
REC 2.5.4GRP
The following paragraphs set out other matters to which the FCA3 may have regard in assessing the systems and controls used for the transmission of information, risk management, the effecting and monitoring of transactions, the operation of settlement arrangements (the matters covered in paragraph 4(2)(d) of the Schedule to the Recognition Requirements Regulations) and the safeguarding and administration of assets .33
REC 2.5.6GRP
In assessing a UK recognised body's systems and controls for assessing and managing risk, the FCA3 may also have regard to the extent to which these systems and controls enable the UK recognised body to:3(1) identify all the general, operational, legal and market risks wherever they arise in its activities;(2) measure and control the different types of risk;(3) allocate responsibility for risk management to persons with appropriate knowledge and expertise; and(4) provide sufficient,
REC 2.5.8GRP
In assessing a UK RIE's systems and controls for the effecting and monitoring of transactions, and for the operation of settlement arrangements, the FCA3 may have regard to the totality of the arrangements and processes through which the UK RIE's transactions are effected, cleared,3 and settled, including:333(1) a UK RIE's arrangements under which orders are received and matched, its arrangements for trade and transaction reporting, and (if relevant) its arrangements with another
REC 2.5.9GRP
In assessing a UK recognised body's systems and controls for the safeguarding and administration of assets belonging to users of its facilities, the FCA3 may have regard to the totality of the arrangements and processes by which the UK recognised body: 3(1) records the assets held and the identity of the owners of (and other persons with relevant rights over) those assets; (2) records any instructions given in relation to those assets;(3) records the carrying out of those instructions;(4)
REC 2.5.12GRP
REC 2.5.13 G to REC 2.5.16 G set out the factors to which the FCA3 may have regard in assessing a UK recognised body's systems and controls for managing conflicts of interest.3
REC 2.5.14GRP
The FCA3 may also have regard to the systems and controls intended to ensure that confidential information is only used for proper purposes. Where relevant, recognised bodies will have to comply with section 348 (Restrictions on disclosure of confidential information by the FCA3 etc.) and regulations made under section 349 (Exemptions from section 348) of the Act.33
REC 2.5.17GRP
A UK recognised body's arrangements for internal and external audit will be an important part of its systems and controls. In assessing the adequacy of these arrangements, the FCA3 may have regard to: 3(1) the size, composition and terms of reference of any audit committee of the UK recognised body'sgoverning body;(2) the frequency and scope of external audit; (3) the provision and scope of internal audit; (4) the staffing and resources of the UK recognised body's internal audit
REC 2.5.18GRP
Information technology is likely to be a major component of the systems and controls used by any UK recognised body. In assessing the adequacy of the information technology used by a UK recognised body to perform or support its relevant functions, the FCA3 may have regard to:3(1) the organisation, management and resources of the information technology department within the UK recognised body;(2) the arrangements for controlling and documenting the design, development, implementation
REC 2.5.19GRP
The FCA3 may also have regard to the arrangements for maintaining, recording and enforcing technical and operational standards and specifications for information technology systems, including:3(1) the procedures for the evaluation and selection of information technology systems;(2) the arrangements for testing information technology systems before live operations;(3) the procedures for problem management and system change;(4) the arrangements to monitor and report system performance,
REC 2.5.20GRP
The FCA3 may have regard to the arrangements made to keep clear and complete audit trails of all uses of information technology systems and to reconcile (where appropriate) the audit trails with equivalent information held by system users and other interested parties.3
SYSC 3.2.1GRP
This section covers some of the main issues which a firm is expected to consider in establishing and maintaining the systems and controls appropriate to its business, as required by SYSC 3.1.1 R.
SYSC 3.2.4GRP
(1) The guidance relevant to delegation within the firm is also relevant to external delegation ('outsourcing'). A firm cannot contract out its regulatory obligations. So, for example, under Principle 3 a firm should take reasonable care to supervise the discharge of outsourced functions by its contractor.(2) A firm should take steps to obtain sufficient information from its contractor to enable it to assess the impact of outsourcing on its systems and controls.
SYSC 3.2.6RRP
A firm must take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that the firm might be used to further financial crime.
SYSC 3.2.6ARRP
5A firm must ensure that these systems and controls:(1) enable it to identify, assess, monitor and manage money laundering risk; and(2) are comprehensive and proportionate to the nature, scale and complexity of its activities.
SYSC 3.2.6CRRP
5A firm must carry out regular assessments of the adequacy of these systems and controls to ensure that it continues to comply with SYSC 3.2.6A R.
SYSC 3.2.6EGRP
5The FCA, when considering whether a breach of its rules on systems and controls against money laundering has occurred, will have regard to whether a firm has followed relevant provisions in the guidance for the UK financial sector issued by the Joint Money Laundering Steering Group.
SYSC 3.2.6FGRP
5In identifying its money laundering risk and in establishing the nature of these systems and controls, a firm should consider a range of factors, including:(1) its customer, product and activity profiles;(2) its distribution channels;(3) the complexity and volume of its transactions;(4) its processes and systems; and(5) its operating environment.
SYSC 3.2.6GGRP
5A firm should ensure that the systems and controls include:(1) appropriate training for its employees in relation to money laundering;(2) appropriate provision of information to its governing body and senior management, including a report at least annually by that firm'smoney laundering reporting officer (MLRO) on the operation and effectiveness of those systems and controls;(3) appropriate documentation of its risk management policies and risk profile in relation to money laundering,
SYSC 3.2.6HRRP
5A firm must allocate to a director or senior manager (who may also be the money laundering reporting officer) overall responsibility within the firm for the establishment and maintenance of effective anti-money laundering systems and controls.
SYSC 3.2.6IRRP
5A firm must:(1) appoint an individual as MLRO, with responsibility for oversight of its compliance with the FCA'srules on systems and controls against money laundering; and(2) ensure that its MLRO has a level of authority and independence within the firm and access to resources and information sufficient to enable him to carry out that responsibility.
SYSC 3.2.15GRP
Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to form an audit committee. An audit committee could typically examine management's process for ensuring the appropriateness and effectiveness of systems and controls, examine the arrangements made by management to ensure compliance with requirements and standards under the regulatory system, oversee the functioning of the internal audit function (if applicable - see SYSC 3.2.16 G9)
SYSC 3.2.16GRP
9(1) Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to delegate much of the task of monitoring the appropriateness and effectiveness of its systems and controls to an internal audit function. An internal audit function should have clear responsibilities and reporting lines to an audit committee or appropriate senior manager, be adequately resourced and staffed by competent individuals, be independent of the day-to-day activities
SYSC 3.2.21GRP
A firm should have appropriate systems and controls in place to fulfil the firm's regulatory and statutory obligations with respect to adequacy, access, periods of retention and security of records. The general principle is that records should be retained for as long as is relevant for the purposes for which they are made.
CREDS 2.2.1GRP
SYSC 4.1.1 R requires every firm, including a credit union, to have robust governance arrangements, which include a clear organisational structure with well-defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks it is or might be exposed to, and internal control mechanisms, including sound administrative and accounting procedures and effective control and safeguard arrangements for information processing
CREDS 2.2.3GRP
A credit union’s systems and controls should be proportionate to the nature, scale and complexity of the activities it undertakes. For instance, a 5small credit union5 will not usually 5be expected to have the same systems and controls as a large one, and a credit union offering only basic savings accounts and loans will not be expected to have the same systems and controls as one offering a wider range of services or more complicated products5.
CREDS 2.2.8RRP
A credit union must establish, maintain and implement a fully documented system of control.5
CREDS 2.2.9GRP
Guidance on the documentation of systems of control is given in CREDS 2.2.20 G to CREDS 2.2.23 G.
CREDS 2.2.11GRP
(1) The term 'internal audit function' in CREDS 2.2.10 E refers to the generally understood concept of internal audit within a firm, in other words the function of assessing adherence to and the effectiveness of internal systems and controls, procedures and policies. 5(2) Guidance on internal audit is given in CREDS 2.2.40 G to CREDS 2.2.50 G.
CREDS 2.2.20GRP
CREDS 2.2.8 R requires a credit union's system of control to be fully documented. The documentation helps the governing body5 to assess if systems are maintained and controls are operating effectively. It also helps those reviewing the systems to verify that the controls in place are those that have been authorised, and that they are adequate for their purpose.
CREDS 2.2.21GRP
(1) The governing body5 should decide what form this documentation should take, but the governing body5 should have in mind the following points.(a) Documents should be comprehensive: they should cover all material aspects of the operations of the credit union.(b) Documents should be integrated: separate elements of the system should be cross-referred so that the system can be viewed as a whole.(c) Documents should identify risks and the controls established to manage those risks.
CREDS 2.2.23GRP
The documentation of IT controls should be integrated within the overall documentation of a credit union's system of control.
CREDS 2.2.25GRP
A credit union should have appropriate systems in place to fulfil its obligations with respect to adequacy, access, periods of retention, and security of records.
CREDS 2.2.31GRP
Some important compliance issues include:(1) insurance against fraud and dishonesty;(2) arrangements for the prevention, detection and reporting of money laundering;(3) establishing and maintaining a satisfactory system of control;(4) keeping proper books of account;(5) computation and application of profits;(6) investment of surplus funds;(7) capital requirements; (8) liquidity requirements;(9) limits on shares and loans;(10) maintenance of membership records;(11) submission
CREDS 2.2.42GRP
Depending upon the scale and nature of the credit union's activities, it may be appropriate for the audit committee to delegate the task of monitoring the effectiveness and appropriateness of its systems and controls to an employee or other third party.
CREDS 2.2.43GRP
The purposes of an internal audit are:(1) to ensure that the policies and procedures of the credit union are followed;(2) to provide the governing body5 with a continuous appraisal of the overall effectiveness of the control systems, including proposed changes;(3) to recommend improvements where desirable or necessary;(4) to determine whether the internal controls established by the governing body5 are being maintained properly and operated as laid down in the policy, and comply
CREDS 2.2.44GRP
The internal audit function (see CREDS 2.2.11G) should develop an audit plan, covering all aspects of the credit union's business. The audit plan should identify the scope and frequency of work to be carried out in each area. Areas identified as higher risk should be covered more frequently. However, over a set timeframe (likely to be one year) all areas should be covered. Care should be taken to avoid obvious patterns in assessing the different areas of the credit union's business,
SYSC 13.7.1GRP
A firm should establish and maintain appropriate systems and controls for managing operational risks that can arise from inadequacies or failures in its processes and systems (and, as appropriate, the systems and processes of third party suppliers, agents and others). In doing so a firm should have regard to:(1) the importance and complexity of processes and systems used in the end-to-end operating cycle for products and activities (for example, the level of integration of systems);(2)
SYSC 13.7.2GRP
Internal documentation may enhance understanding and aid continuity of operations, so a firm should ensure the adequacy of its internal documentation of processes and systems (including how documentation is developed, maintained and distributed) in managing operational risk.
SYSC 13.7.4GRP
A firm should ensure the adequacy of its processes and systems to review external documentation prior to issue (including review by its compliance, legal and marketing departments or by appropriately qualified external advisers). In doing so, a firm should have regard to:(1) compliance with applicable regulatory and other requirements;1(2) the extent to which its documentation uses standard terms (that are widely recognised, and have been tested in the courts) or non-standard
SYSC 13.7.6GRP
A firm should establish and maintain appropriate systems and controls for the management of its IT system risks, having regard to:(1) its organisation and reporting structure for technology operations (including the adequacy of senior management oversight);(2) the extent to which technology requirements are addressed in its business strategy;(3) the appropriateness of its systems acquisition, development and maintenance activities (including the allocation of responsibilities
SYSC 13.7.7GRP
Failures in processing information (whether physical, electronic or known by employees but not recorded) or of the security of the systems that maintain it can lead to significant operational losses. A firm should establish and maintain appropriate systems and controls to manage its information security risks. In doing so, a firm should have regard to:(1) confidentiality: information should be accessible only to persons or systems with appropriate authority, which may require
SYSC 13.7.8GRP
A firm should ensure the adequacy of the systems and controls used to protect the processing and security of its information, and should have regard to established security standards such as ISO17799 (Information Security Management).
SYSC 13.7.9GRP
Operating processes and systems at separate geographic locations may alter a firm's operational risk profile (including by allowing alternative sites for the continuity of operations). A firm should understand the effect of any differences in processes and systems at each of its locations, particularly if they are in different countries, having regard to:(1) the business operating environment of each country (for example, the likelihood and impact of political disruptions or
APER 4.7.3GRP
5Failing to take reasonable steps to implement (either personally or through a compliance department or other departments) adequate and appropriate systems of control to comply with the relevant requirements and standards of the regulatory system in respect of the regulated activities of the firm in question (as referred to in Statement of Principle 7) falls within APER 4.7.2G. In the case of an approved person who is responsible, under SYSC 2.1.3R(2) or SYSC 4.4.5R(2), with overseeing
APER 4.7.7GRP
5Failing to take reasonable steps to ensure that procedures and systems of control are reviewed and, if appropriate, improved, following the identification of significant breaches (whether suspended or actual) of the relevant requirements and standards of the regulatory system relating to the regulated activities of the firm in question (as referred to in Statement of Principle 7) falls within APER 4.7.2G (see APER 4.7.13G and APER 4.7.14G).
APER 4.7.8GRP
5Behaviour of the type referred to in APER 4.7.7 G includes, but is not limited to:(1) unreasonably failing to implement recommendations for improvements in systems and procedures;(2) unreasonably failing to implement recommendations for improvements to systems and procedures in a timely manner.
APER 4.7.10GRP
5In the case of an approved person performing an accountable higher management function responsible for compliance under SYSC 3.2.8R, SYSC 6.1.4R or SYSC 6.1.4AR, failing to take reasonable steps to ensure that appropriate compliance systems and procedures are in place falls within APER 4.7.2G.
APER 4.7.11AGRP
5Where the approved person is a proprietary trader under SUP 10A.9.10R, failing to maintain and comply with appropriate systems and controls in relation to that activity falls within APER 4.7.2G.
APER 4.7.12GRP
An approved person performing an accountable higher management function5 need not themselves5 put in place the systems of control in their5 business (APER 4.7.4G5). Whether he does this depends on his role and responsibilities. He should, however, take reasonable steps to ensure that the business for which he is responsible has operating procedures and systems which include well-defined steps for complying with the detail of relevant requirements and standards of the regulatory
APER 4.7.13GRP
Where the approved person performing an accountable higher management function5 becomes aware of actual or suspected problems that involve possible breaches of relevant requirements and standards of the regulatory system falling within their5 area of responsibility, then they5 should take reasonable steps to ensure that they are dealt with in a timely and appropriate manner (APER 4.7.7G5). This may involve an adequate investigation to find out what systems or procedures may have
APER 4.7.14GRP
Where independent reviews of systems and procedures have been undertaken and result in recommendations for improvement, the approved person performing an accountable higher management function5 should ensure that, unless there are good reasons not to, any reasonable recommendations are implemented in a timely manner (APER 4.7.10G5). What is reasonable will depend on the nature of the inadequacy and the cost of the improvement. It will be reasonable for the approved person performing
SYSC 6.3.1RRP
A firm must ensure the policies and procedures established under SYSC 6.1.1 R include systems and controls that:1(1) enable it to identify, assess, monitor and manage money laundering risk; and(2) are comprehensive and proportionate to the nature, scale and complexity of its activities.
SYSC 6.3.3RRP
A firm must carry out a1 regular assessment of the adequacy of these systems and controls to ensure that they continue 1to comply with SYSC 6.3.1 R.11
SYSC 6.3.5GRP
The FCA, when considering whether a breach of its rules on systems and controls against money laundering has occurred, will have regard to whether a firm has followed relevant provisions in the guidance for the United Kingdom financial sector issued by the Joint Money Laundering Steering Group.1
SYSC 6.3.6GRP
In identifying its money laundering risk and in establishing the nature of these systems and controls, a firm should consider a range of factors, including:1(1) its customer, product and activity profiles;(2) its distribution channels;(3) the complexity and volume of its transactions;(4) its processes and systems; and(5) its operating environment.
SYSC 6.3.7GRP
A firm should ensure that the systems and controls include:1(1) appropriate training for its employees in relation to money laundering;(2) appropriate provision of information to its governing body and senior management, including a report at least annually by that firm'smoney laundering reporting officer (MLRO) on the operation and effectiveness of those systems and controls;(3) appropriate documentation of its risk management policies and risk profile in relation to money laundering,
SYSC 6.3.8RRP
(1) A firm must allocate to a director or senior manager (who may also be the money laundering reporting officer) overall responsibility within the firm for the establishment and maintenance of effective anti-money laundering systems and controls.4(2) A firm may not allocate overall responsibility under (1) to a person who is approved to perform the other overall responsibility function.4
SYSC 6.3.9RRP
A firm (with the exception of a sole trader who has no employees)21 must:12(1) appoint an individual as MLRO, with responsibility for oversight of its compliance with the FCA'srules on systems and controls against money laundering; and(2) ensure that its MLRO has a level of authority and independence within the firm and access to resources and information sufficient to enable him to carry out that responsibility.
SYSC 5.1.2GRP
A firm's systems and controls should enable it to satisfy itself of the suitability of anyone who acts for it. This includes assessing an individual's honesty and competence. This assessment should normally be made at the point of recruitment. An individual's honesty need not normally be revisited unless something happens to make a fresh look appropriate.
SYSC 5.1.8GRP
The effective segregation of duties is an important element in the internal controls of a firm in the prudential context. In particular, it helps to ensure that no one individual is completely free to commit a firm's assets or incur liabilities on its behalf. Segregation can also help to ensure that a firm'sgoverning body receives objective and accurate information on financial performance, the risks faced by the firm and the adequacy of its systems.
SYSC 5.1.9GRP
A firm should normally ensure that no single individual has unrestricted authority to do all of the following:3(1) initiate a transaction;(2) bind the firm;(3) make payments; and(4) account for it.
SYSC 5.1.10GRP
Where a firm is unable to ensure the complete segregation of duties (for example, because it has a limited number of staff), it should ensure that there are adequate compensating controls in place (for example, frequent review of an area by relevant senior managers).3
SYSC 5.1.13RRP
The systems, internal control mechanisms and arrangements established by a firm in accordance with this chapter must take into account the nature, scale and complexity of its business and the nature and range of financial services and activities 3undertaken in the course of that business.[Note:article 5(1) final paragraph of the MiFID implementing Directiveand articles 4(1) final paragraph and 5(4) of the UCITS implementing Directive]66
SYSC 5.1.14RRP
A common platform firm and a management company6 must monitor and, on a regular basis, evaluate the adequacy and effectiveness of its systems, internal control mechanisms and arrangements established in accordance with this chapter, and take appropriate measures to address any deficiencies.[Note:article 5(5) of the MiFID implementing Directive and articles 4(5) of the UCITS implementing Directive]6
IFPRU 2.2.7RRP
A firm must have in place sound, effective and comprehensive strategies, processes and systems:(1) to assess and maintain, on an ongoing basis, the amounts, types and distribution of financial resources, own funds and internal capital that it considers adequate to cover:(a) the nature and level of the risks to which it is, or might be, exposed;(b) the risk in the overall financial adequacy rule;(c) the risk that the firm might not be able to meet the obligations in Part Three
IFPRU 2.2.12RRP
The processes, strategies and systems required by the overall Pillar 2 rule must be comprehensive and proportionate to the nature, scale and complexity of the firm's activities.[Note: article 73 second paragraph (part) of CRD]
IFPRU 2.2.13RRP
A firm must:(1) carry out regularly the assessments required by the overall Pillar 2 rule; and(2) carry out regular assessments of the processes, strategies and systems required by the overall Pillar 2 rule to ensure that they remain comprehensive and proportionate to the nature, scale and complexity of the firm's activities.[Note: article 73 second paragraph (part) of CRD]
IFPRU 2.2.15GRP
Certain risks, such as systems and controls weaknesses, may not be adequately addressed by, for example, holding additional capital and a more appropriate response would be to rectify the weakness. In such circumstances, the amount of financial resources required to address these risks might be zero. However, a firm should consider whether holding additional capital might be an appropriate response until the identified weaknesses are rectified. A firm, should, in line with IFPRU
IFPRU 2.2.16GRP
A firm should carry out assessments of the sort described in the overall Pillar 2 rule and IFPRU 2.2.13 R at least annually, or more frequently if changes in the business, strategy, nature or scale of its activities or operational environment suggest that the current level of financial resources is no longer adequate. The appropriateness of the internal process, and the degree of involvement of senior management in the process, will be taken into account by the FCA when reviewing
IFPRU 2.2.19RRP
A firm must operate through effective systems the ongoing administration and monitoring of its various credit risk-bearing portfolios and exposures, including for identifying and managing problem credits and for making adequate value adjustments and provisions.[Note: article 79(c) of CRD]
IFPRU 2.2.60RRP
Compliance with the obligations in IFPRU 2.2.59 R must enable the FCA consolidation group or the non-EEA sub-group to have arrangements, processes and mechanisms that are consistent, well integrated and ensure that data relevant to the purpose of supervision can be produced.[Note: article 109(2) of CRD]
IFPRU 2.2.87GRP
A firm should satisfy itself that the systems (including IT) of the FCA consolidation group or the non-EEA sub-group of which it is a member are sufficiently sound to support the effective management and, where applicable, the quantification of the risks that could affect the FCA consolidation group or the non-EEA sub-group, as the case may be.
REC 3.16.1GRP
The purpose of REC 3.16 is to ensure that the FCA1receives a copy of the UK recognised body's plans and arrangements for ensuring business continuity if there are major problems with its computer systems. The FCA1does not need to be notified of minor revisions to, or updating of, the documents containing a UK recognised body's business continuity plan (for example, changes to contact names or telephone numbers). 11
REC 3.16.2RRP
Where a UK recognised body changes any of its plans for action in the event of a failure of any of its information technology systems resulting in disruption to the operation of its facilities, it must immediately give the FCA1notice of that event, and a copy of the new plan. 1
REC 3.16.3RRP
Where any reserve information technology system of a UK recognised body fails in such a way that, if the main information technology system of that body were also to fail, it would be unable to operate any of its facilities during its normal hours of operation, that body must immediately give the FCA1notice of that event, and inform the FCA:111(1) what action that UK recognised body is taking to restore the operation of the reserve information technology system; and (2) when it
LR 7.2.1RRP

The Listing Principles are as follows:

Listing3 Principle 1

A listed company must take reasonable steps to establish and maintain adequate procedures, systems and controls to enable it to comply with its obligations.3

3

Listing3 Principle 2

A listed company must deal with the FCA in an open and co-operative manner.3

3

Principle 3

[deleted]3

3

Principle 4

[deleted]3

3

Principle 5

[deleted]3

3

Principle 6

[deleted]3

3
LR 7.2.2GRP
Listing Principle 13 is intended to ensure that listed companies have adequate procedures, systems and controls to enable them to comply with their obligations under the listing rules, disclosure rules, transparency rules and corporate governance rules.3 In particular, the FCA considers that listed companies should place particular emphasis on ensuring that they have adequate procedures, systems and controls in relation to, where applicable:333(1) identifying whether any obligations
LR 7.2.3GRP
Timely and accurate disclosure of information to the market is a key obligation of listed companies. For the purposes of Listing Principle 13, a listed company should have adequate systems and controls to be able to:3313(1) ensure that it can properly identify information which requires disclosure under the listing rules, disclosure rules, transparency rules or corporate governance rules3 in a timely manner; and3(2) ensure that any information identified under (1) is properly
LR 8.6.5RRP
The FCA will approve a person as a sponsor only if it is satisfied that the person :4(1) is 4an authorised person or a member of a designated professional body;(2) is 4competent to provide8sponsor services4 in accordance with LR 88; and8(3) has appropriate 4systems and controls in place to carry out its role as a sponsor in accordance with LR 884.488
LR 8.6.5BGRP
7Situations when the FCA may impose restrictions or limitations on the services a sponsor can provide include (but are not limited to) where it appears to the FCA that: (1) the employees of the person applying to be a sponsor whom it is proposed will perform sponsor services have no or limited relevant experience and expertise of providing certain types of sponsor services or of providing sponsor services to certain types of company; or(2) the person applying to be a sponsor
LR 8.6.12RRP
8A sponsor or a person applying for approval as a sponsor will not satisfy LR 8.6.5R (3) unless it has in place:(1) clear and effective reporting lines for the provision of sponsor services (including clear and effective management responsibilities);(1A) effective systems and controls which require employees with management responsibilities for the provision of sponsor services to understand and apply the requirements of LR 8; (2) effective systems and controls for the appropriate
LR 8.6.13AGRP
4A sponsor will generally be regarded as having appropriate systems and controls for identifying and managing conflicts6 if it has in place effective policies and procedures:(1) to ensure that decisions taken on managing conflicts of interest are taken by appropriately senior staff and on a timely basis;(2) to monitor whether arrangements put in place to manage conflicts are effective; and6(3) to ensure that individuals within the sponsor are appropriately trained to enable them
SYSC 14.1.27RRP
A firm must take reasonable steps to establish and maintain adequate internal controls.
SYSC 14.1.28GRP
The precise role and organisation of internal controls can vary from firm to firm. However, a firm'sinternal controls should normally be concerned with assisting its governing body and relevant senior managers to participate in ensuring that it meets the following objectives:(1) safeguarding both the assets of the firm and its customers, as well as identifying and managing liabilities;(2) maintaining the efficiency and effectiveness of its operations;(3) ensuring the reliability
SYSC 14.1.29AGRP
10When determining the adequacy of its internal controls, a firm should consider both the potential risks that might hinder the achievement of the objectives listed in SYSC 14.1.28 G, and the extent to which it needs to control these risks. More specifically, this should normally include consideration of:(1) the appropriateness of its reporting and communication lines (see SYSC 3.2.2 G);(2) how the delegation or contracting of functions or activities to employees, appointed representatives
SYSC 14.1.29BGRP
(1) 6SYSC 14.1.29G(6) does not apply to a Solvency II firm.(2) SYSC 14.1.29G(7) does not apply to a Solvency II firm, but only in relation to references to the internal audit function. It does apply to a Solvency II firm in relation to references to the internal audit committee.(3) For Solvency II firms, the PRA has made rules implementing the governance provisions of the Solvency II Directive relating to internal controls (article 46), see PRA Rulebook: Solvency II firms: Conditions
SYSC 4.6.6RRP
A third-country relevant authorised person must, at all times, have a comprehensive and up-to-date document (the management responsibilities map) that describes the management and governance arrangements for any branch it maintains in the United Kingdom, including:(1) details of the reporting lines and the lines of responsibility; and(2) reasonable details about:(a) the persons who are part of those arrangements; and(b) their responsibilities.(See further requirements in SYSC
SYSC 4.6.8GRP
(1) One purpose of the management responsibilities map for third country relevant authorised persons is to help the firm and the FCA satisfy themselves that the branch has a clear organisational structure (as required by SYSC, where applicable). (2) It also helps the FCA to identify who it needs to speak to about particular issues and who is accountable if something goes wrong.
SYSC 4.6.12GRP
(1) The management responsibilities map should be consistent with the statements of responsibilities.(2) The statements of responsibilities and the management responsibilities map should all be prepared in a way that makes it simple to see how the responsibilities allocated in a particular statement of responsibilities fit into the overall system of management and governance of the firm.
SYSC 4.6.18RRP
A management responsibilities map for a branch maintained by an EEA relevant authorised person must include: (1) (a) the names of all the branch’s:(i) approved persons;(ii) members of its governing body and (if different) management body who are not approved persons; (iii) senior management; and(iv) senior personnel; and(b) details of the responsibilities which they hold;(2) all responsibilities described in any current statement of responsibilities; (3) matters reserved to the
SYSC 4.6.27GRP
(1) The management responsibilities map should be consistent with the statements of responsibilities.(2) The statements of responsibilities and the management responsibilities map should be prepared in a way that makes it simple to see how the responsibilities allocated in a particular statement of responsibilities fit into the overall system of management and governance of the branch.
CASS 6.6.18GRP
(1) The internal system evaluation method is available to any firm, including one that is not able to use the internal custody reconciliation method because it does not meet the requirements at CASS 6.6.16R (1) and CASS 6.6.16R (2).(2) The purpose of the internal system evaluation method is to detect weaknesses in a firm's systems and controls and any recordkeeping discrepancies. However, this method is not designed to substitute a firm's other measures for ensuring compliance
CASS 6.6.19RRP
The internal system evaluation method requires a firm to:(1) establish a process that evaluates: (a) the completeness and accuracy of the firm's internal records and accounts of safe custody assets held by the firm for clients, in particular whether sufficient information is being completely and accurately recorded by the firm to enable it to:(i) comply with CASS 6.6.4 R; and(ii) readily determine the total of all the safe custody assets that the firm holds for its clients; and(b)
CASS 6.6.20GRP
The evaluation process under CASS 6.6.19R (1) should verify that the firm's systems and controls correctly identify and resolve at least the following types or causes of discrepancies:(1) items in the firm's records and accounts that might be erroneously overstating or understating the safe custody assets held by a firm (for example, 'test' entries and 'balancing' entries);(2) negative balances;(3) processing errors;(4) journal entry errors (eg, omissions and unauthorised system
CASS 6.6.31GRP
The documents under CASS 6.6.30R (1) should, for example, cover the systems and controls the firm will have in place to mitigate the risk of 'teeming and lading' in respect of all the physical safe custody assets held by the firm for clients and across all the firm's business lines.
CASS 6.6.58GRP
Firms are reminded that the auditor of the firm has to confirm in the report submitted to the FCA under SUP 3.10 (Duties of auditors: notification and report on client assets) that the firm has maintained systems adequate to enable it to comply with the custody rules.
EG 18.1.2RP
1When considering whether to cancel a sponsor's approval on its own initiative, the FCA will take into account all relevant factors, including, but not limited to, the following: (1) the competence of the sponsor; (2) the adequacy of the sponsor's systems and controls; (3) the sponsor's history of compliance with the listing rules; (4) the nature, seriousness and duration of the suspected failure of the sponsor to meet (at
EG 18.1.4RP
1When considering whether to cancel a primary information provider’s approval on its own initiative, the FCA will take into account all relevant factors, including, but not limited to, the following: (1) the competence of the primary information provider; (2) the adequacy of the primary information provider’s systems and controls; (3) the primary information provider’s history of compliance with DTR 8; (4) the nature, seriousness and duration of the suspected
SYSC 13.2.1GRP
SYSC 13 provides guidance on how to interpret SYSC 3.1.1 R and SYSC 3.2.6 R, which deal with the establishment and maintenance of systems and controls, in relation to the management of operational risk. Operational risk has been described by the Basel Committee on Banking Supervision as "the risk of loss, resulting from inadequate or failed internal processes, people and systems, or from external events". This chapter covers systems and controls for managing risks concerning any
SYSC 13.2.4AGRP
1Operational risk can, amongst other things, lead to unfair treatment of consumers or lead to financial crime. A firm should consider all operational risk events that may affect these matters in establishing and maintaining its systems and controls.
SYSC 4.5.6GRP
(1) One purpose of the management responsibilities map is to help the firm and the FCA satisfy themselves that the firm has a clear organisational structure (as required by SYSC).(2) It also helps the FCA to identify who it needs to speak to about particular issues and who is accountable if something goes wrong.
SYSC 4.5.9GRP
(1) The management responsibilities map should be consistent with the statements of responsibilities.(2) The statements of responsibilities and the management responsibilities map should all be prepared in a way that makes it simple to see how the responsibilities allocated in a particular statement of responsibilities fit into the overall system of management and governance of the firm.
SYSC 4.5.16GRP
(1) This provision explains the purpose of SYSC 4 Annex 1G.(2) A firm may use it as a checklist to see whether its management responsibilities map covers all its business activities.(3) A firm may wish to prepare its management responsibilities map using the same split of activities.(4) If a firm uses SYSC 4 Annex 1G to help it prepare its management responsibilities map, it should bear in mind that it is not comprehensive (see SYSC 4.5.20G).(5) As mentioned in SYSC 4.7.37G, a
REC 5.2.3AGRP
1The information required pursuant to sub-sections 287(c), (d) and (e) of the Act is:(1) a programme of operations which includes the types of business the applicant proposes to undertake and the applicant's proposed organisational structure;(2) particulars of the persons who effectively direct the business and operations of the exchange; and(3) particulars of the ownership of the exchange, and in particular the identity and scale of interests of the persons who are in a position
REC 5.2.6GRP
Under section 289 of the Act (Applications: supplementary) or (for an RAP applicant) regulation 2 of the RAP regulations,3 the FCA5 may require the applicant to provide additional information, and may require the applicant to verify any information in any manner. In view of their likely importance for any application, the FCA5 will normally wish to arrange for its own inspection of an applicant's information technology systems.55
REC 5.2.14GRP

Information and supporting documentation (see REC 5.2.4 G).

(1)

Details of the applicant's constitution, structure and ownership, including its memorandum and articles of association (or similar or analogous documents ) and any agreements between the applicant, its owners or other persons relating to its constitution or governance (if not contained in the information listed in REC 5.2.3A G)1. An applicant for RAP status must provide details of the relationship between the governance arrangements in place for the UK RIE and the RAP.3

(2)

Details of all business to be conducted by the applicant, whether or not a regulated activity (if not contained in the information listed in REC 5.2.3A G)1.

(3)

Details of the facilities which the applicant plans to operate, including details of the trading platform or (for an RAP) auction platform,3 settlement arrangements, clearing facilitation services5 and custody services which it plans to supply. An applicant for RAP status must provide details on the relationship between the auction platform and any secondary market in emissions auction products4 which it operates or plans to operate.3

54

(4)

Copies of the last three annual reports and accounts and, for the current financial year, quarterly management accounts.

(5)

Details of its business plan for the first three years of operation as a UK recognised body (if not contained in the information listed in REC 5.2.3A G)1.

(6)

A full organisation chart and a list of the posts to be held by key individuals (with details of the duties and responsibilities) and the names of the persons proposed for these appointments when these names are available (if not contained in the information listed in REC 5.2.3A G)1.

(7)

Details of its auditors, bankers, solicitors and any persons providing corporate finance advice or similar services (such as reporting accountants) to the applicant.

(8)

Details of any relevant functions to be outsourced or delegated, with copies of relevant agreements.

(9)

Details of information technology systems and of arrangements for their supply, management, maintenance and upgrading, and security.

(10)

Details of all plans to minimise disruption to operation of its facilities in the event of the failure of its information technology systems.

(11)

Details of internal systems for financial control, arrangements for risk management and insurance arrangements to cover operational and other risks.

(12)

Details of its arrangements for managing any counterparty risks.

5

(13)

Details of internal arrangements to safeguard confidential or privileged information and for handling conflicts of interest.

(14)

Details of arrangements for complying with the notification rules and other requirements to supply information to the FCA5.

5

(15)

Details of the arrangements to be made for monitoring and enforcing compliance with its rules and with its clearing, settlement and default arrangements.

(16)

A summary of the legal due diligence carried out in relation to ascertaining the enforceability of its rules (including default rules) and the results and conclusions reached.

5

(17)

Details of the procedures to be followed for declaring a member in default, and for taking action after that event to close out positions, protect the interests of other members and enforce its default rules.

(18)

Details of membership selection criteria, rules and procedures, including (for an RAP) details of how the rules of the UK RIE will change in order to reflect RAP status.3

(19)

Details of arrangements for recording transactions effected by, or cleared through, its facilities.

(20)

Details of arrangements for detecting financial crime and market abuse , including arrangements for complying with money laundering law.

(21)

Details of criteria, rules and arrangements for selecting specified investments to be admitted to trading on (or cleared by) an RIE and, where relevant, details of how information regarding specified investments will be disseminated to users of its facilities.

5

(22)

Details of arrangements for cooperating with the FCA5 and other appropriate authorities, including draft memoranda of understanding or letters.

5

(23)

Details of the procedures and arrangements for making and amending rules, including arrangements for consulting on rule changes.

(24)

Details of disciplinary and appeal procedures, and of the arrangements for investigating complaints.

SYSC 7.1.2RRP
A common platform firm must establish, implement and maintain adequate risk management policies and procedures, including effective procedures for risk assessment, which identify the risks relating to the firm's activities, processes and systems, and where appropriate, set the level of risk tolerated by the firm.[Note: article 7(1)(a) of the MiFID implementing Directive, article 13(5) second paragraph of MiFID]
SYSC 7.1.3RRP
A common platform firm must adopt effective arrangements, processes and mechanisms to manage the risk relating to the firm's activities, processes and systems, in light of that level of risk tolerance.[Note: article 7(1)(b) of the MiFID implementing Directive]
SYSC 7.1.10RRP
A BIPRUfirm must operate through effective systems the ongoing administration and monitoring of its various credit risk-bearing portfolios and exposures, including for identifying and managing problem credits and for making adequate value adjustments and provisions.15
SYSC 7.1.15RRP
A BIPRU firm must implement systems to evaluate and manage the risk arising from potential changes in interest rates as they affect a BIPRUfirm's non-trading activities.15