Systems and Controls

Part

SYSC Senior Management Arrangements, Systems and Controls sourcebook

Chapter

Systems and Controls

Printed on: 15/10/2024

Rulebook at: 28/08/2007

SYSC 3

Systems and Controls

SYSC 3.1

Systems and Controls

01/12/2004

SYSC 3.1.1

A firm must take reasonable care to establish and maintain such systems and controls as are appropriate to its business.

01/12/2001

SYSC 3.1.1A

SYSC 3.1 and SYSC 3.2.1 G to SYSC 3.2.22 G apply to a BIPRU firm only to the extent that they do not conflict with SYSC 3.2.23 R to SYSC 3.2.36 R.

01/01/2007

SYSC 3.1.2

(1) The nature and extent of the systems and controls which a firm will need to maintain under SYSC 3.1.1 R will depend upon a variety of factors including:

(a) the nature, scale and complexity of its business;
(b) the diversity of its operations, including geographical diversity;
(c) the volume and size of its transactions; and
(d) the degree of risk associated with each area of its operation.

(2) To enable it to comply with its obligation to maintain appropriate systems and controls, a firm should carry out a regular review of them.
(3) The areas typically covered by the systems and controls referred to in SYSC 3.1.1 R are those identified in SYSC 3.2. Detailed requirements regarding systems and controls relevant to particular business areas or particular types of firm are covered elsewhere in the Handbook.

01/12/2001

SYSC 3.1.3

Where the Combined Code developed by the Committee on Corporate Governance is relevant to a firm, the FSA, in considering whether the firm's obligations under SYSC 3.1.1 R have been met, will give it due credit for following corresponding provisions in the Code and related guidance.

01/12/2001

SYSC 3.1.4

A firm has specific responsibilities regarding its appointed representatives (see SUP 12).

01/12/2001

SYSC 3.1.5

SYSC 2.1.3 R (2) prescribes how a firm must allocate the function of overseeing the establishment and maintenance of systems and controls described in SYSC 3.1.1 R.

01/12/2001

SYSC 3.2

Areas covered by systems and controls

01/12/2004

Introduction

SYSC 3.2.1

This section covers some of the main issues which a firm is expected to consider in establishing and maintaining the systems and controls appropriate to its business, as required by SYSC 3.1.1 R.

01/12/2001

Organisation

SYSC 3.2.2

A firm's reporting lines should be clear and appropriate having regard to the nature, scale and complexity of its business. These reporting lines, together with clear management responsibilities, should be communicated as appropriate within the firm.

01/12/2001

SYSC 3.2.3

(1) A firm's governing body is likely to delegate many functions and tasks for the purpose of carrying out its business. When functions or tasks are delegated, either to employees or to appointed representatives, appropriate safeguards should be put in place.
(2) When there is delegation, a firm should assess whether the recipient is suitable to carry out the delegated function or task, taking into account the degree of responsibility involved.
(3) The extent and limits of any delegation should be made clear to those concerned.
(4) There should be arrangements to supervise delegation, and to monitor the discharge of delegates functions or tasks.
(5) If cause for concern arises through supervision and monitoring or otherwise, there should be appropriate follow-up action at an appropriate level of seniority within the firm.

01/12/2001

SYSC 3.2.4

(1) The guidance relevant to delegation within the firm is also relevant to external delegation ('outsourcing'). A firm cannot contract out its regulatory obligations. So, for example, under Principle 3 a firm should take reasonable care to supervise the discharge of outsourced functions by its contractor.
(2) A firm should take steps to obtain sufficient information from its contractor to enable it to assess the impact of outsourcing on its systems and controls.

01/12/2001

SYSC 3.2.5

Where it is made possible and appropriate by the nature, scale and complexity of its business, a firm should segregate the duties of individuals and departments in such a way as to reduce opportunities for financial crime or contravention of requirements and standards under the regulatory system. For example, the duties of front-office and back-office staff should be segregated so as to prevent a single individual initiating, processing and controlling transactions.

01/12/2001

SYSC 3.2.5A

An overseas bank must ensure that at least two individuals effectively direct its business.

01/01/2007

SYSC 3.2.5B

In the case of an overseas bank, the FSA assesses whether at least two individuals effectively direct the business of the bank (and not just the business of its branch in the United Kingdom). The FSA also takes into account the manner in which management decisions are taken in the United Kingdom branch in assessing the adequacy of the overseas bank's systems and controls.

01/01/2007

Systems and controls in relation to compliance, financial crime and money laundering

SYSC 3.2.6

A firm must take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that the firm might be used to further financial crime.

01/12/2001

SYSC 3.2.6A

A firm must ensure that these systems and controls:

(1) enable it to identify, assess, monitor and manage money laundering risk; and
(2) are comprehensive and proportionate to the nature, scale and complexity of its activities.

01/03/2006

SYSC 3.2.6B

"Money laundering risk" is the risk that a firm may be used to further money laundering. Failure by a firm to manage this risk effectively will increase the risk to society of crime and terrorism.

01/03/2006

SYSC 3.2.6C

A firm must carry out regular assessments of the adequacy of these systems and controls to ensure that it continues to comply with SYSC 3.2.6A R.

01/03/2006

SYSC 3.2.6D

A firm may also have separate obligations to comply with relevant legal requirements, including the Terrorism Act 2000, the Proceeds of Crime Act 2002 and the Money Laundering Regulations. SYSC 3.2.6 R to SYSC 3.2.6J G are not relevant for the purposes of regulation 3(3)of the Money Laundering Regulations, section 330(8) of the Proceeds of Crime Act 2002 or section 21A(6) of the Terrorism Act 2000.

01/03/2006

SYSC 3.2.6E

The FSA, when considering whether a breach of its rules on systems and controls against money laundering has occurred, will have regard to whether a firm has followed relevant provisions in the guidance for the UK financial sector issued by the Joint Money Laundering Steering Group.

01/03/2006

SYSC 3.2.6F

In identifying its money laundering risk and in establishing the nature of these systems and controls, a firm should consider a range of factors, including:

(1) its customer, product and activity profiles;
(2) its distribution channels;
(3) the complexity and volume of its transactions;
(4) its processes and systems; and
(5) its operating environment.

01/03/2006

SYSC 3.2.6G

A firm should ensure that the systems and controls include:

(1) appropriate training for its employees in relation to money laundering;
(2) appropriate provision of information to its governing body and senior management, including a report at least annually by that firm's money laundering reporting officer (MLRO) on the operation and effectiveness of those systems and controls;
(3) appropriate documentation of its risk management policies and risk profile in relation to money laundering, including documentation of its application of those policies (see SYSC 3.2.20 R to SYSC 3.2.22 G);
(4) appropriate measures to ensure that money laundering risk is taken into account in its day-to-day operation, including in relation to:

(a) the development of new products;
(b) the taking-on of new customers; and
(c) changes in its business profile; and

(5) appropriate measures to ensure that procedures for identification of new customers do not unreasonably deny access to its services to potential customers who cannot reasonably be expected to produce detailed evidence of identity.

01/03/2006

SYSC 3.2.6H

A firm must allocate to a director or senior manager (who may also be the money laundering reporting officer) overall responsibility within the firm for the establishment and maintenance of effective anti-money laundering systems and controls.

01/03/2006

The money laundering reporting officer

SYSC 3.2.6I

A firm must:

(1) appoint an individual as MLRO, with responsibility for oversight of its compliance with the FSA's rules on systems and controls against money laundering; and
(2) ensure that its MLRO has a level of authority and independence within the firm and access to resources and information sufficient to enable him to carry out that responsibility.

01/03/2006

SYSC 3.2.6J

The job of the MLRO within a firm is to act as the focal point for all activity within the firm relating to anti-money laundering. The FSA expects that a firm's MLRO will be based in the United Kingdom.

01/03/2006

The compliance function

SYSC 3.2.7

(1) Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to have a separate compliance function. The organisation and responsibilities of a compliance function should be documented. A compliance function should be staffed by an appropriate number of competent staff who are sufficiently independent to perform their duties objectively. It should be adequately resourced and should have unrestricted access to the firm's relevant records as well as ultimate recourse to its governing body.
(2) [deleted]
(3) [deleted]

01/03/2006

SYSC 3.2.8

(1) A firm which carries on designated investment business with or for customers must allocate to a director or senior manager the function of:

(a) having responsibility for oversight of the firm's compliance; and
(b) reporting to the governing body in respect of that responsibility.

(2) In SYSC 3.2.8 R (1) (1) "compliance" means compliance with the rules in:

(a) COB COBS (Conduct of Business);
(b) COLL (New Collective Investment Schemes) and CIS (Collective Investment Schemes) sourcebook); and
(c) CASS (Client Assets)

01/04/2004

SYSC 3.2.9

(1) SUP 10.7.8 R uses SYSC 3.2.8 R to describe the controlled function, known as the compliance oversight function, of acting in the capacity of a director or senior manager to whom this function is allocated.
(2) The rules referred to in SYSC 3.2.8 R (2) are the minimum area of focus for the firm's compliance oversight function. A firm is free to give additional responsibilities to a person performing this function if it wishes.

01/12/2001

Risk assessment

SYSC 3.2.10

(1) Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to have a separate risk assessment function responsible for assessing the risks that the firm faces and advising the governing body and senior managers on them.
(2) The organisation and responsibilities of a risk assessment function should be documented. The function should be adequately resourced and staffed by an appropriate number of competent staff who are sufficiently independent to perform their duties objectively.
(3) The term 'risk assessment function' refers to the generally understood concept of risk assessment within a firm, that is, the function of setting and controlling risk exposure. The risk assessment function is not a controlled function itself, but is part of the systems and controls function (CF28).

01/12/2001

Management information

SYSC 3.2.11

(1) A firm's arrangements should be such as to furnish its governing body with the information it needs to play its part in identifying, measuring, managing and controlling risks of regulatory concern. Three factors will be the relevance, reliability and timeliness of that information.
(2) Risks of regulatory concern are those risks which relate to the fair treatment of the firm's customers, to the protection of consumers, to confidence in the financial system, and to the use of that system in connection with financial crime.

01/12/2001

SYSC 3.2.12

It is the responsibility of the firm to decide what information is required, when, and for whom, so that it can organise and control its activities and can comply with its regulatory obligations. The detail and extent of information required will depend on the nature, scale and complexity of the business.

01/12/2001

Employees and agents

SYSC 3.2.13

A firm's systems and controls should enable it to satisfy itself of the suitability of anyone who acts for it.

01/12/2001

SYSC 3.2.14

(1) SYSC 3.2.13 G includes assessing an individual's honesty, and competence. This assessment should normally be made at the point of recruitment. An individual's honesty need not normally be revisited unless something happens to make a fresh look appropriate.
(2) Any assessment of an individual's suitability should take into account the level of responsibility that the individual will assume within the firm. The nature of this assessment will generally differ depending upon whether it takes place at the start of the individual's recruitment, at the end of the probationary period (if there is one) or subsequently.
(3) The FSA's detailed requirements on firms with respect to the competence of individuals are in the Training and Competence sourcebook (TC).[deleted]
(4) The requirements on firms with respect to approved persons are in Part V of the Act (Performance of regulated activities) and SUP 10.

01/12/2001

Audit committee

SYSC 3.2.15

Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to form an audit committee. An audit committee could typically examine management's process for ensuring the appropriateness and effectiveness of systems and controls, examine the arrangements made by management to ensure compliance with requirements and standards under the regulatory system, oversee the functioning of the internal audit function (if applicable - see SYSC 3.2.16 G) and provide an interface between management and the external auditors. It should have an appropriate number of non-executive directors and it should have formal terms of reference.

01/12/2001

Internal audit

SYSC 3.2.16

Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to delegate much of the task of monitoring the appropriateness and effectiveness of its systems and controls to an internal audit function. An internal audit function should have clear responsibilities and reporting lines to an audit committee or appropriate senior manager, be adequately resourced and staffed by competent individuals, be independent of the day-to-day activities of the firm and have appropriate access to a firm's records.

(1) Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to delegate much of the task of monitoring the appropriateness and effectiveness of its systems and controls to an internal audit function. An internal audit function should have clear responsibilities and reporting lines to an audit committee or appropriate senior manager, be adequately resourced and staffed by competent individuals, be independent of the day-to-day activities of the firm and have appropriate access to a firm's records.
(2) The term 'internal audit function' refers to the generally understood concept of internal audit within a firm, that is, the function of assessing adherence to and the effectiveness of internal systems and controls, procedures and policies. The internal audit function is not a controlled function itself, but is part of the systems and controls function (CF28).

01/12/2001

Business strategy

SYSC 3.2.17

A firm should plan its business appropriately so that it is able to identify, measure, manage and control risks of regulatory concern (see SYSC 3.2.11 G (2)). In some firms, depending on the nature, scale and complexity of their business, it may be appropriate to have business plans or strategy plans documented and updated on a regular basis to take account of changes in the business environment.

01/12/2001

Remuneration policies

SYSC 3.2.18

It is possible that firms' remuneration policies will from time to time lead to tensions between the ability of the firm to meet the requirements and standards under the regulatory system and the personal advantage of those who act for it. Where tensions exist, these should be appropriately managed.

01/12/2001

Business continuity

SYSC 3.2.19

A firm should have in place appropriate arrangements, having regard to the nature, scale and complexity of its business, to ensure that it can continue to function and meet its regulatory obligations in the event of an unforeseen interruption. These arrangements should be regularly updated and tested to ensure their effectiveness.

01/12/2001

Records

SYSC 3.2.20

(1) A firm must take reasonable care to make and retain adequate records of matters and dealings (including accounting records) which are the subject of requirements and standards under the regulatory system.
(2) Subject to (3) and to any other record-keeping rule in the Handbook, the records required by (1) or by such other rule must be capable of being reproduced in the English language on paper.
(3) If a firm's records relate to business carried on from an establishment in a country or territory outside the United Kingdom, an official language of that country or territory may be used instead of the English language as required by (2).

01/12/2001

SYSC 3.2.21

A firm should have appropriate systems and controls in place to fulfil the firm's regulatory and statutory obligations with respect to adequacy, access, periods of retention and security of records. The general principle is that records should be retained for as long as is relevant for the purposes for which they are made.

01/12/2001

SYSC 3.2.22

Detailed record-keeping requirements for different types of firm are to be found elsewhere in the Handbook. Schedule 1 to the Handbook is a consolidated schedule of these requirements.

01/12/2001

CRD Requirements: (1) General organisation requirements

SYSC 3.2.23

A BIPRU firm must have robust governance arrangements, which include a clear organisational structure with well defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks it is or might be exposed to, and adequate internal control mechanisms, including sound administrative and accounting procedures.

[Note: article 22(1) of the Banking Consolidation Directive]

01/01/2007

SYSC 3.2.24

The arrangements, processes and mechanisms referred to in SYSC 3.2.23 R must be comprehensive and proportionate to the nature, scale and complexity of the BIPRU firm's activities. The technical criteria laid down in BIPRU 2.3.7 R (1), BIPRU 9.1.6 R, BIPRU 9.13.21 R (Liquidity plans), BIPRU 10.12.3 R (Concentration risk policies), SYSC 3.2.26 R and SYSC 3.2.28 R to SYSC 3.2.36 R must be taken into account.

[Note: article 22(2) of the Banking Consolidation Directive]

01/01/2007

SYSC 3.2.25

A BIPRU firm must ensure that its internal control mechanisms and administrative and accounting procedures permit the verification of its compliance with rules adopted in accordance with the Capital Adequacy Directive at all times.

[Note: article 35(1) second sentence of the Capital Adequacy Directive]

01/01/2007

SYSC 3.2.26

A BIPRU firm must have contingency and business continuity plans in place aimed at ensuring its ability to operate on an ongoing basis and limit losses in the event of severe business disruption.

[Note: annex V paragraph 13 of the Banking Consolidation Directive]

01/01/2007

SYSC 3.2.27

A credit institution must have at least two persons who effectively direct the business of the firm. These persons must be of sufficiently good repute and have sufficient experience to perform their duties.

[Note: article 11(1) of the Banking Consolidation Directive]

01/01/2007

CRD Requirements: (2) Employees, agents and other relevant persons

SYSC 3.2.28

The governing body of a BIPRU firm must define arrangements concerning the segregation of duties in the organisation and the prevention of conflicts of interest.

[Note: annex V paragraph 1 of the Banking Consolidation Directive]

01/01/2007

CRD Requirements: (3) Risk control

SYSC 3.2.29

The governing body of a BIPRU firm must approve and periodically review the strategies and policies for taking up, managing, monitoring and mitigating the risks the firm is or might be exposed to, including those posed by the macroeconomic environment in which it operates in relation to the status of the business cycle.

[Note: annex V paragraph 2 of the Banking Consolidation Directive]

01/01/2007

SYSC 3.2.30

A BIPRU firm must base credit-granting on sound and well-defined criteria and clearly establish the process for approving, amending, renewing, and re-financing credits.

[Note: annex V paragraph 3 of the Banking Consolidation Directive]

01/01/2007

SYSC 3.2.31

A BIPRU firm must operate through effective systems the ongoing administration and monitoring of its various credit risk-bearing portfolios and exposures, including for identifying and managing problem credits and for making adequate value adjustments and provisions.

[Note: annex V paragraph 4 of the Banking Consolidation Directive]

01/01/2007

SYSC 3.2.32

A BIPRU firm must adequately diversify credit portfolios given its target markets and overall credit strategy.

[Note: annex V paragraph 5 of the Banking Consolidation Directive]

01/01/2007

SYSC 3.2.33

A BIPRU firm must address and control by means of written policies and procedures the risk that recognised credit risk mitigation techniques used by it prove less effective than expected.

[Note: annex V paragraph 6 of the Banking Consolidation Directive]

01/01/2007

SYSC 3.2.34

A BIPRU firm must implement policies and processes for the measurement and management of all material sources and effects of market risks.

[Note: annex V paragraph 10 of the Banking Consolidation Directive]

01/01/2007

SYSC 3.2.35

A BIPRU firm must implement systems to evaluate and manage the risk arising from potential changes in interest rates as they affect a BIPRU firm's non-trading activities.

[Note: annex V paragraph 11 of the Banking Consolidation Directive]

01/01/2007

SYSC 3.2.36

A BIPRU firm must implement policies and processes to evaluate and manage the exposure to operational risk, including to low-frequency high severity events. Without prejudice to the definition of operational risk, BIPRU firms must articulate what constitutes operational risk for the purposes of those policies and procedures.

[Note: annex V paragraph 12 of the Banking Consolidation Directive]

01/01/2007