Embed Size (px)
Citation preview
Senior Management Arrangements, Systems and
Controls (SYSC) Claire Aynsley Head of Regulatory Compliance
and Guidance Gillian Tiplady Regulatory and Corporate Counsel
This morning’s topics
• Purposes of SYSC • Application • General Requirements • Comprehensiveness and Proportionality • Business Continuity • Audit committee • Personnel • Compliance, internal audit and risk • Critical outsourcing • Whistle-blowing
Purposes of SYSC Governance, Risk and Management
• to encourage directors and senior managers to take appropriate practical responsibility for how their firms deal with regulated matters;
• to amplify Principle 3; • to encourage firms to vest responsibility for effective,
responsible organisation in specific directors and senior managers; and
• to create a common platform of organisational and systems and control requirements for all firms.
SYSC 1.1A: Application
• Not all sections of SYSC apply to all firms
Type of firm Applicable chapters
Insurer Chapters 2, 3, 11 to 18, 212
Managing agent Chapters 2, 3, 11, 12, 18, 212
Society Chapters 2, 3, 12, 18, 212
Every other firm Chapters 4 to 12, 183, 4, 19A4, 212
SYSC 4.1 General Requirements
SYSC 4.1.1 R (1) A firm must have robust governance arrangements, which
include (1) a clear organisational structure with (2) well defined, transparent and consistent lines of responsibility, (3)effective processes to identify, manage, monitor and report the risks it is or might be exposed to, and (4) internal control mechanisms, including sound administrative and accounting procedures and effective control and safeguard arrangements for information processing systems.
Comprehensiveness and proportionality
SYSC 4.1.2 R For a common platform firm, the arrangements, processes and mechanisms referred to in SYSC 4.1.1 R must be comprehensive and proportionate to the nature, scale and complexity of the risks inherent in the business model and of the common platform firm's activities and must take into account the specific technical criteria described in SYSC 4.1.7 R, SYSC 5.1.7 R, SYSC 7 and (for a firm to which SYSC 19A applies) SYSC 19A, or (for a full-scope UK AIFM) SYSC 19B. SYSC 4.1.2A G Other firms should take account of the comprehensiveness and proportionality rule (SYSC 4.1.2 R) as if it were guidance (and as if "should" appeared in that rule instead of "must") as explained in SYSC 1 Annex 1.3.3 G.
Business Continuity
SYSC 4.1.7 R A … firm … should establish, implement and maintain an adequate business continuity policy aimed at ensuring, in the case of an interruption to its systems and procedures, that any losses are limited, the preservation of essential data and functions, and the maintenance of its regulated activities, or, in the case of a management company, its collective portfolio management activities, or, where that is not possible, the timely recovery of such data and functions and the timely resumption of those activities.
Basic contents of a business continuity policy
SYSC 4.1.8 G The matters dealt with in a business continuity policy should include: • (1) resource requirements such as people, systems and other assets, and
arrangements for obtaining these resources; • (2) the recovery priorities for the firm's operations; • (3) communication arrangements for internal and external concerned
parties (including the appropriate regulator, clients and the press); • (4) escalation and invocation plans that outline the processes for
implementing the business continuity plans, together with relevant contact information;
• (5) processes to validate the integrity of information affected by the disruption; and
• (6) regular testing of the business continuity policy in an appropriate and proportionate manner in accordance with SYSC 4.1.10 R.
Audit Committee
SYSC 4.1.11 G Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to form an audit committee. An audit committee could typically examine management's process for ensuring the appropriateness and effectiveness of systems and controls, examine the arrangements made by management to ensure compliance with requirements and standards under the regulatory system, oversee the functioning of the internal audit function (if applicable) and provide an interface between management and external auditors. It should have an appropriate number of non-executive directors and it should have formal terms of reference.
Personnel Requirements
SYSC 4 and 5 contain details of the standards expected of staff in regulated firms. • Non-executive directors, responsibility and
liability limited by the role undertaken. • Senior personnel must have the right qualities to
ensure the sound and prudent management of the firm.
• Employees must have the right “skill, knowledge and expertise” to carry out their roles.
SYSC 6 Compliance, Internal Audit and Financial Crime
SYSC 6.1 Compliance SYSC 6.1.1 R • A firm must establish, implement and maintain
adequate policies and procedures sufficient to ensure compliance of the firm including its managers, employees and appointed representatives (or where applicable, tied agents) with its obligations under the regulatory system and for countering the risk that the firm might be used to further financial crime.
SYSC 6 Compliance, Internal Audit and Financial Crime
SYSC 6.2 Internal audit SYSC 6.2.1 R A … firm … should, where appropriate and proportionate in view of the nature, scale and complexity of its business and the nature and range of its financial services and activities, undertaken in the course of that business, establish and maintain an internal audit function which is separate and independent from the other functions and activities of the firm and which has the following responsibilities: • (1) to establish, implement and maintain an audit plan to examine and evaluate
the adequacy and effectiveness of the firm's systems, internal control mechanisms and arrangements;
• (2) to issue recommendations based on the result of work carried out in accordance with (1);
• (3) to verify compliance with those recommendations; • (4) to report in relation to internal audit matters in accordance with SYSC 4.3.2 R.
SYSC 6 Compliance, Internal Audit and Financial Crime
SYSC 6.3 Financial crime SYSC 6.3.1 R A firm must ensure the policies and procedures established under SYSC 6.1.1 R include systems and controls that:
(1) enable it to identify, assess, monitor and manage money laundering risk; and (2) are comprehensive and proportionate to the nature, scale and complexity of its activities.
SYSC 6.3.2 G
"Money laundering risk" is the risk that a firm may be used to further money laundering. Failure by a firm to manage this risk effectively will increase the risk to society of crime and terrorism.
SYSC 6 Compliance, Internal Audit and Financial Crime
SYSC 6.3.6 G In identifying its money laundering risk and in establishing the nature of these systems and controls, a firm should consider a range of factors, including:
(1) its customer, product and activity profiles; (2) its distribution channels; (3) the complexity and volume of its transactions; (4) its processes and systems; and (5) its operating environment.
SYSC 7 and 21 Risk Control
• Firms must have effective processes to identify, manage, monitor and report the risks they are exposed to.
• Firms should implement and maintain adequate risk management policies, identifying the risks affecting the firm and setting the level of risk tolerated by the firm (risk appetite).
SYSC 7 and 21 Risk Control
• Requirements are tailored according to the size, nature and complexity of the firm.
• Depending upon the above, firms may need to appoint a Chief Risk Officer and establish a governing body risk committee. Details on the duties of both are in SYSC 21.
• These provisions link to the CF 28 controlled function, Systems and Controls and that function includes responsibility for reporting on setting and controlling the risk exposure.
Critical outsourcing
Outsourcing (SYSC 8) SYSC 8.1 General outsourcing requirements SYSC 8.1.1 R A … firm should: (1) when relying on a third party for the performance of operational functions which are critical for the performance of regulated activities, listed activities or ancillary services (in this chapter "relevant services and activities") on a continuous and satisfactory basis, ensure that it takes reasonable steps to avoid undue additional operational risk….
Critical outsourcing
SYSC 8.1.4 R For the purposes of this chapter an operational function is regarded as critical or important if a defect or failure in its performance would materially impair the continuing compliance of a common platform firm with the conditions and obligations of its authorisation or its other obligations under the regulatory system, or its financial performance, or the soundness or the continuity of its relevant services and activities.
Whistleblowing SYSC 18
SYSC 18.1 Application SYSC 18.1.1 G This chapter is relevant to every firm to the extent that the Public Interest Disclosure Act 1998 ("PIDA") applies to it. PIDA will apply to debt-collecting and other credit related activities.
PIDA protects workers who disclose information about malpractice at their workplace, or former workplace, provided certain conditions are met. These conditions concern the nature of the information disclosed and the person to whom it is disclosed (protected disclosure). If these conditions are fulfilled, the Act protects the worker from suffering detriment as a result of having made the disclosure. If the conditions are not met a disclosure may constitute a breach of the worker’s duty of confidence to his employer.
What is a protected disclosure?
A disclosure, made in the public interest, of information which, in the reasonable belief of the worker making the disclosure, tends to show that one or more of the following (a "failure") has been, is being, or is likely to be, committed: • (i) a criminal offence; or • (ii) a failure to comply with any legal obligation; or • (iii) a miscarriage of justice; or • (iv) the putting of the health and safety of an individual in danger; or • (v) damage to the environment; or • (vi) deliberate concealment relating to any of (i) to (v); • it is immaterial whether the relevant failure occurred, occurs or would
occur in the United Kingdom or elsewhere, and whether the law applying to it is that of the United Kingdom or of any other country or territory.
Whistle-blowing, meeting the requirements
Whistle-blowing policy needs to: • make a statement that the firm takes failure very
seriously; • explain what failure might be, see previous slide; • confirm that confidentiality will be respected; • explain that there will be protection from victimisation; • state that there will be penalties for false or malicious
disclosures; and • provide an opportunity for concerns to be raised
outside the usual reporting line, eg to Compliance director, Internal Auditor or Company Secretary.
SYSC 21 Risk Governance
Firms should, taking account of their size, nature and complexity, consider whether in order to fulfil the general organisational requirements in SYSC 2, SYSC 3, SYSC 42,2 SYSC 7 …..their risk control arrangements should include: (a) appointing a Chief Risk Officer; and (b) establishing a governing body risk committee.
SYSC 21 then details: • Duties of the Chief Risk Officer • Reporting lines of the Chief Risk Officer • Functions of the governing body risk oversight committee
Conclusion
• Compliance Guide Issue 4 will be available on website later this week.
• FCA queries website: [email protected]
• Contact Claire or Gillian directly: [email protected] [email protected]
ANY QUESTIONS?
