PRIN 2.1 Principle 2 - Skill, care and diligence: A firm must conduct its business with due skill, care and diligence.
PRIN 2.1 Principle 3 - Management and control: A firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.
Rule SYSC 3.1.1 R requires that a firm must take reasonable care to establish and maintain such systems and controls as are appropriate to its business and that per guidance 3.1.2 G (2) the firm should regularly review these systems and controls.
Rule SYSC 3.1.6 R requires a firm take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that the firm might be used to further financial crime. Furthermore rule 3.2.6C R requires these systems and controls are regularly reviewed.
SYSC 3.2.5 G states that where it is made possible and appropriate by the nature, scale and complexity of its business, a firm should segregate the duties of individuals and departments in such a way as to reduce opportunities for financial crime or contravention of requirements and standards under the regulatory system. For example, the duties of front-office and back-office staff should be segregated so as to prevent a single individual initiating, processing and controlling transactions.
SYSC 3.2.7 G (1) states that depending on the nature, scale and complexity of its business, it may be appropriate for a firm to have a separate compliance function. The organisation and responsibilities of a compliance function should be documented. A compliance function should be staffed by an appropriate number of competent staff who are sufficiently independent to perform their duties objectively. It should be adequately resourced and should have unrestricted access to the firm's relevant records as well as ultimate recourse to its governing body.
SYSC 3.2.11A G (2) outlines risks of regulatory concern being those that relate to the fair treatment of the firm's customers, to the protection of consumers, to effective competition and to the integrity of the UK financial system. Risks which are relevant to the integrity of the UK financial system include risks which relate to its soundness, stability and resilience and to the use of the system in connection with financial crime.
SYSC 3.2.15 G sates that a firm should have an audit committee
SYSC 3.2.19 G sates that a firm should have appropriate business continuity arrangements in place
Rule SYSC 3.2.20 R (1) requires that a firm take reasonable care to make and retain adequate records of matters and dealings (including accounting records) which are the subject of requirements and standards under the regulatory system. Guidance at 3.2.21 G states A firm should have appropriate systems and controls in place to fulfil the firm's regulatory and statutory obligations with respect to adequacy, access, periods of retention and security of records. The general principle is that records should be retained for as long as is relevant for the purposes for which they are made.
Rule SYSC 4.1.1 R (1) requires that a (1) A firm must have robust governance arrangements, which include a clear organisational structure with well defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks it is or might be exposed to, and internal control mechanisms, including sound administrative and accounting procedures and effective control and safeguard arrangements for information processing systems.
SYSC 4.1.4 R requires that a firm must, taking into account the nature, scale and complexity of the business of the firm, and the nature and range of the financial services and activities undertaken in the course of that business. The rule goes on to include governance and management reporting and internal controls for all areas of the firm (that includes IT).
SYSC 4.1.5 R requires that a MiFID investment firm and a management company must establish, implement and maintain systems and procedures that are adequate to safeguard the security, integrity and confidentiality of information, taking into account the nature of the information in question.
SYSC 4.1.6 R requires that a common platform firm must take reasonable steps to ensure continuity and regularity in the performance of its regulated activities. To this end the common platform firm must employ appropriate and proportionate systems, resources and procedures.
SYSC 4.1.7 R requires that a common platform firm and a management company must establish, implement and maintain an adequate business continuity policy aimed at ensuring, in the case of an interruption to its systems and procedures, that any losses are limited, the preservation of essential data and functions, and the maintenance of its regulated activities, or, in the case of a management company, its collective portfolio management activities, or, where that is not possible, the timely recovery of such data and functions and the timely resumption of those activities.
SYSC 4.1.7A G guidance states that other firms should take account of the business continuity rules (SYSC 4.1.6 R and 4.1.7 R) as if they were guidance (and as if "should" appeared in those rules instead of "must") as explained in SYSC 1 Annex 1.3.3 G. Guidance at SYSC 4.1.8 G highlights that systems and IT process would be included in the requirements of SYSC 4.1.7 R.
SYSC 4.1.9 R requires the timely delivery of accounting reports including financial statements compliant with accounting standards. This necessarily requires availability of accounting information systems.
SYSC 4.1.10 R requires that A common platform firm and a management company7 must monitor and, on a regular basis, evaluate the adequacy and effectiveness of its systems, internal control mechanisms and arrangements established in accordance with SYSC 4.1.4 R to SYSC 4.1.9 R and take appropriate measures to address any deficiencies.
SYSC 4.1.13 G states that firms should also consider the additional guidance on risk-centric governance arrangements for effective risk management contained in SYSC 21 G SYSC 21.1 provides guidance on risk governance and control arrangements.
SYSC 13 provides rules and guidance for insurers on operational risk systems and controls. Specifically, SYSC 13.7.6 G states that a firm should establish and maintain appropriate systems and controls for the management of its IT system risks.
SYSC 14 provides further guidance for insurers with respect to he establishment and maintenance of systems and controls for the management of a firm's prudential risks
SYSC 6.1.1 R and SYSC 6.1.2 R require that a firm must establish, implement and maintain adequate policies and procedures sufficient to ensure compliance of the firm including its managers, employees and appointed representatives (or where applicable, tied agents) with its obligations under the regulatory system and for countering the risk that the firm might be used to further financial crime.
6.2.1 R requires firms to setup an independent internal audit function responsible for evaluating the adequacy and effectiveness of internal controls
SYSC 7.1.2 R requires that common platform firms implement risk management policies and procedures including effective risk assessment procedures to identify risks relating to activities, processes and systems. SYSC 7.2.3 G advises that other firms should also apply SYSC 7.1.2 R.
SYSC 7.1.5 R, SYSC 7.1.6 R and SYSC 7.1.7 R require a common platform firm to monitor the adequacy, effectiveness and compliance level for its internal controls along with any remediation to achieve adequacy, effectiveness and compliance.
SYSC 7.1.7A G advises that the SYSC 7.1.5 R, SYSC 7.1.6 R and SYSC 7.1.7 R should apply to all firms.
7.1.16 R requires that a BIPRU firm must implement policies and processes to evaluate and manage the exposure to operational risk, including to low-frequency high severity events. Without prejudice to the definition of operational risk, BIPRU firms must articulate what constitutes operational risk for the purposes of those policies and procedures.
7.1.17 R, 7.1.18 R and 7.1.21 R require that a CRR firm establish a risk management function, framework and committee.
SYSC 8.1 stipulates requirements and guidance for managing risks associated with outsourcing. This section also makes it clear that the firm remains fully responsible for discharging all of its obligations under the regulatory system.
9.1.1 R A firm must arrange for orderly records to be kept of its business and internal organisation, including all services and transactions undertaken by it, which must be sufficient to enable the appropriate regulator or any other relevant competent authority under MiFID or the UCITS Directive3 to monitor the firm's compliance with the requirements under the regulatory system, and in particular to ascertain that the firm has complied with all obligations with respect to clients.
9.1.2 R A common platform firm 4must retain all records kept by it under this chapter in relation to its MiFID business for a period of at least five years.
9.1.3 R In relation to its MiFID business, a common platform firm must retain records in a medium that allows the storage of information in a way accessible for future reference by the appropriate regulator or any other relevant competent authority under MiFID, and so that the following conditions are met:
(1) the appropriate regulator or any other relevant competent authority under MiFID must be able to access them readily and to reconstitute each key stage of the processing of each transaction;
(2) it must be possible for any corrections or other amendments, and the contents of the records prior to such corrections and amendments, to be easily ascertained;
(3) it must not be possible for the records otherwise to be manipulated or altered.
SYSC 9.1.5 G In relation to the retention of records for non-MiFID business, a firm should have appropriate systems and controls in place with respect to the adequacy of, access to, and the security of its records so that the firm may fulfil its regulatory and statutory obligations. With respect to retention periods, the general principle is that records should be retained for as long as is relevant for the purposes for which they are made.