Compliance Guide to the FCA Handbook. Issue 4 Senior Management Arrangements, Systems and Controls (SYSC)

Transcription

1 Compliance Guide to the FCA Handbook Issue 4 Senior Management Arrangements, Systems and Controls (SYSC)

2 Important note These guidance notes are for the use of CSA Members who are preparing for authorisation by the Financial Conduct Authority (FCA) to carry out consumer credit services. They are not a substitute for firm specific legal advice or for a full review of the FCA Handbook. The Compliance Guide is intended to help Members review and understand the FCA Handbook and prepare for authorisation and supervision by the FCA. The format of the guide will allow Members to access support with the Handbook provisions and by completing the notes column in the guidance templates, to evidence how they comply. This is a discipline that will be important in the FCA-regulated world both as a way of evidencing compliance and also by creating a source for approved persons to prepare for compliance visits and interviews. Using the Compliance Guide should also assist members as they complete their application for authorisation. Terminology It is worth familiarising yourself with the terminology and abbreviations used by the FCA. Where sections of the Handbook are referred to they are quoted as, for example, PRIN R as they would appear in the Handbook. We explained what these references mean in our short guide to the FCA Handbook, the link to which is set out later in this document. The business applying for authorization is referred to throughout as the the firm, which is consistent with the terminology used by the FCA. Other commonly-used abbreviations are: The Act means the Financial Services and Markets Act 2000, as amended The FCA means the Financial Conduct Authority The OFT means the Office of Fair Trading The Financial Conduct Authority The FCA is one of two successor bodies that replaced the Financial Services Authority (FSA) after the implementation of the Financial Services Act 2012, the other being the Prudential Regulatory Authority (PRA). The PRA is part of the Bank of England and is responsible for the prudential regulation and supervision of banks, building societies, credit unions, insurers and major investment firms; as such consumer credit act firms are not within its remit. The FCA s strategic objective is to ensure that the markets it oversees function well. In pursuit of this, it has three operational objectives: to secure an appropriate degree of protection for consumers; to protect and enhance the integrity of the UK financial system; and to promote effective competition in the interests of consumers. Issue 4 - October 2014 Compliance Guide to the FCA Handbook

3 The FCA fulfils these objectives by making rules and guidance on how regulated firms must act and how regulated business must be carried out. With effect from 1 April 2014 it also assumed responsibility for enforcement of the Consumer Credit Act following the closure of the Office of Fair Trading (OFT). The FCA rules and guidance may be found at and Members should make themselves familiar with the Handbook and its guidance, during and after the process of applying for full authorisation. Firms will need to be in a position to demonstrate how they comply with the relevant sections of the Handbook both at the time of authorisation and thereafter. The FCA supervision regime is very much evidence based and the discipline of being in a position to evidence how a firm complies should be adopted at an early stage. Issue 4 - October 2014 Compliance Guide to the FCA Handbook

4 Introduction Principle 3 of the Principles for Business (see Compliance Guide Issue 1) states: A firm must take reasonable care to organise and control its affairs responsibly and effectively with adequate risk management systems, and one of the functions of SYSC is to amplify the Principle, providing a common platform for business organisation. In this issue we will look at all of the provisions of SYSC that apply to credit-related regulated firms and how a firm can set about demonstrating compliance with them. The FCA has made it clear that it will seek to apply the provisions of the Handbook in a manner proportionate to the nature, scale and complexity of credit related businesses and in SYSC this is demonstrated clearly in the comprehensiveness and proportionality rule (SYSC 4.1.2R) and the guidance at SYSC 4.1.2A G. These make express provision for many of SYSC s rules to be mitigated to guidance and to be applied to credit firms in a manner that is comprehensive and proportionate to the nature, scale and complexity of the risks inherent in the business model and of the.firm s activities. The provisions of SYSC cover a varied range of topics which can be broadly categorised as touching on principles of sound corporate governance and risk management. They include money-laundering, business continuity and whistle-blowing. In working towards compliance with SYSC, firms should also have recourse to the guidance that is available on the Public Interest Disclosure Act 1998 and the Joint Money Laundering Steering Group (JMLSG) guidelines, the links for which are on the CSA website and contained within the text of the guide. Firms should also bear in mind that the FCA has, as one of its strategic objectives, protecting the integrity of financial markets. In fulfilling this aim and reviewing firms, it will look at the integrity and honesty of senior individuals within the business and at your business standards. Embracing regulation and good standards of corporate governance should be seen as an opportunity to demonstrate integrity in the running of your business. Compliance with SYSC provides a platform for that. Not all sections of SYSC apply to all firms and we have set out in the guide details of the sections that apply to credit firms. There are specific provisions in relation to the applicability of certain provisions to sole traders and these are covered in the text of the guide. Issue 4 - October 2014 Compliance Guide to the FCA Handbook

5 Senior Management Arrangements, Systems and Controls (SYSC) This section of the Handbook can be found in the High Level Standards volume. It sets out the standards of good governance required for firms, directors and senior managers in the regulated environment. It is most important to have appropriate standards of good corporate governance in place within your business reflecting a positive culture of compliance and good practice. The FCA has indicated that bad practices are driven by bad culture and thus demonstrating that good corporate governance standards have been embraced is advisable. Businesses that embrace SYSC as should find that it will guide them towards standards of good practice that will be beneficial to it in the regulated environment and in relation to any unregulated business. In terms of the applicability of SYSC it is important to note that not all sections of it apply to all firms and we have set out on the next page how this operates. Furthermore, in regard to credit related regulated firms, there is a comprehensiveness and proportionality rule in place which reduces many of the provisions in SYSC from rules to guidance and the following sections of this Guide highlight how this operates.

6 Provision Guidance Notes Type of firm Applicable chapters Insurer Chapters 2, 3, 11 to 18, 21 2 Managing agent Chapters 2, 3, 11, 12, 18, 21 2 Not all sections of SYSC apply to credit related regulated firms. As set out opposite from SYSC 1.1A1, the applicable sections are 4 to 12, 18, 19A and 21. Society Chapters 2, 3, 12, 18, 21 2 Every other firm Chapters 4 to 12, 18 3, 4, 19A 4, 21 2 SYSC 1.2 Purpose SYSC G The purposes of SYSC are: 1) to encourage firms' directors and senior managers to take appropriate practical responsibility for their firms' arrangements on matters likely to be of interest to the appropriate regulator because they impinge on the appropriate regulator's functions under the Act; This section is fairly self-explanatory. SYSC is about good governance and that should be of interest and value to all firms. A culture of strong governance in any business is a positive thing and this is an area on which the FCA has focused closely. They have found that bad practices are driven by poor culture. Using SYSC to benchmark your business against good standards of governance is important in demonstrating business integrity. Issue 4 - October 2014 Compliance Guide to the FCA Handbook

7 2) to increase certainty by amplifying Principle 3, under which a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems; 3) to encourage firms to vest responsibility for effective and responsible organisation in specific directors and senior managers; and 4) to create a common platform of organisational and systems and controls requirements for all firms SYSC G The application of each of chapters SYSC 11 to 11, 3, 22SYSC 213 is set out in those chapters and in SYSC 1.4.1A R5. In many cases this will mean that rules are lessened to guidance for credit regulated firms. This is illustrated in each section for ease of reference. Issue 4 - October 2014 Compliance Guide to the FCA Handbook

8 SYSC 4.1 General requirements SYSC R (1) A firm must have robust governance arrangements, which include a clear organisational structure with well defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks it is or might be exposed to, and internal control mechanisms, including sound administrative and accounting procedures and effective control and safeguard arrangements for information processing systems. This rule sets out four distinct requirements: 1. a clear organisational structure; 2. clear and unambiguous lines of responsibility; 3. effective risk processes, including, 4. arrangements to protect IT systems. SYSC expands on its requirements in each of these areas in later chapters however, nothing is being suggested here that a well-managed business would not understand and have, or be able to put, in place. SYSC R For a common platform firm, the arrangements, processes and mechanisms referred to in SYSC R must be comprehensive and proportionate to the nature, scale and complexity of the risks inherent in the business model and of the common platform firm's activities and must take into account the specific technical criteria described in SYSC R, SYSC R, SYSC 7 and (for a firm to which SYSC 19A applies) SYSC 19A, or (for a fullscope UK AIFM) SYSC 19B. This is the comprehensiveness and proportionality rule. This applies a degree of balance to the way SYSC operates in regard to your business depending upon its scale and complexity. Issue 4 - October 2014 Compliance Guide to the FCA Handbook

9 SYSC 4.1.2A G Other firms should take account of the comprehensiveness and proportionality rule (SYSC R) as if it were guidance (and as if "should" appeared in that rule instead of "must") as explained in SYSC 1 Annex G. The other firms referred to here include credit related regulated firms. Where appropriate throughout this guide should has been substituted for must for ease of reference. Mechanisms and procedures for a firm SYSC R A firm (with the exception of a sole trader who does not employ any person who is required to be approved under section 59 of the Act (Approval for particular arrangements)) must, taking into account the nature, scale and complexity of the business of the firm, and the nature and range of the financial services and activities undertaken in the course of that business: (1) (if it is a common platform firm or a management company) establish, implement and maintain decision-making procedures and an organisational structure which clearly and in a documented manner specifies reporting lines and allocates functions and responsibilities; Only the second of these provisions applies as a rule to credit firms. So firms must establish, implement and maintain adequate internal control mechanisms designed to secure compliance with decisions and procedures at all levels of the firm. These must be proportionate to the nature and complexity of the business and the services it provides. Sub-categories 1,3 and 4 of this rule apply as guidance to credit firms as confirmed by SYSC 4.1.4A G below. Issue 4 - October 2014 Compliance Guide to the FCA Handbook

10 (2) establish, implement and maintain adequate internal control mechanisms designed to secure compliance with decisions and procedures at all levels of the firm; (3) (if it is a common platform firm) establish, implement and maintain effective internal reporting and communication of information at all relevant levels of the firm; and (4) (if it is a management company) establish, implement and maintain effective internal reporting and communication of information at all relevant levels of the management company as well as effective information flows with any third party involved. SYSC 4.1.4A G A firm that is not a common platform firm or a management company should take into account the decision-making procedures and effective internal reporting rules (SYSC 4.1.4R (1), (3) and (4)) as if they were guidance (and as if "should" appeared in those rules instead Issue 4 - October 2014 Compliance Guide to the FCA Handbook

11 of "must") as explained in SYSC 1 Annex G. Business continuity SYSC R A firm should establish, implement and maintain an adequate business continuity policy aimed at ensuring, in the case of an interruption to its systems and procedures, that any losses are limited, the preservation of essential data and functions, and the maintenance of its regulated activities, or, in the case of a management company, its collective portfolio management activities, or, where that is not possible, the timely recovery of such data and functions and the timely resumption of those activities. SYSC G The matters dealt with in a business continuity policy should include: (1) resource requirements such as people, systems and other assets, and arrangements for obtaining these resources; (2) the recovery priorities for the firm's operations; SYSC 4.1.7A G mitigates this from a rule to guidance and it is reproduced here accordingly. The required contents of the business continuity policy are set out in the next section. Broadly, the FCA needs to see that you have considered your continuity procedures in the event of an emergency affecting your firm. You need to consider what key processes would be affected and in priority based on hours, days and weeks, how would you recreate these to ensure that there is no detriment to your customers. You also need to address how this policy is communicated throughout the firm and how it is tested. There are likely to be small incidents that will occur that will allow you to perform a live test of the policy and determine if any changes are needed. For example, if there is a power or systems outage, consider how you dealt with that in terms of keeping your business going in the meantime, what did you learn about things that were helpful and things that could be done better. Issue 4 - October 2014 Compliance Guide to the FCA Handbook

12 (3) communication arrangements for internal and external concerned parties (including the appropriate regulator, clients and the press); Think also about how you will communicate with staff, customers and the FCA if there is an emergency. (4) escalation and invocation plans that outline the processes for implementing the business continuity plans, together with relevant contact information; (5) processes to validate the integrity of information affected by the disruption; and (6) regular testing of the business continuity policy in an appropriate and proportionate manner in accordance with SYSC R. Regular monitoring SYSC R A.. firm. should monitor and, on a regular basis, evaluate the adequacy and effectiveness of its systems, internal control mechanisms and arrangements established in accordance with SYSC R (the text of this rule extends to SYSC R but those parts of the cross- This rule is mitigated to guidance by SYSC A below and is therefore reproduced here as such. Issue 4 - October 2014 Compliance Guide to the FCA Handbook

13 reference are disapplied by SYSC A) and take appropriate measures to address any deficiencies. SYSC A G Other firms should take account of the regular monitoring rule (SYSC R) as if it were guidance (and as if "should" appeared in that rule instead of "must") as explained in SYSC 1 Annex G, but ignoring the cross-reference to SYSC R and R. Audit committee SYSC G Depending on the nature, scale and complexity of its business, it may be appropriate for a firm to form an audit committee. An audit committee could typically examine management's process for ensuring the appropriateness and effectiveness of systems and controls, examine the arrangements made by management to ensure compliance with requirements and standards under the regulatory system, oversee the functioning of the internal audit function (if applicable) and provide an interface between management and external auditors. It should have an appropriate For those firms that need to establish an audit committee the Financial Reporting Council produces some useful guidance on its website at: Work/Publications/Corporate- Governance/Guidance-on-Audit-Committees- September-2012.aspx. The audit committee has a particular role, acting independently from the executive, to ensure that the interests of shareholders are properly protected in relation to financial reporting and internal control. Issue 4 - October 2014 Compliance Guide to the FCA Handbook

14 number of non-executive directors and it should have formal terms of reference. Risk control: additional guidance SYSC G Firms should also consider the additional guidance on risk-centric governance arrangements for effective risk management contained in SYSC 21. SYSC 21 is considered later in this document. Apportionment of responsibilities: the role of the non-executive director SYSC G The role undertaken by a non-executive director will vary from one firm to another. Where a non-executive director is an approved person, for example where the firm is a body corporate, his responsibility and therefore liability will be limited by the role that he undertakes. It is important to remember that the role of a nonexecutive director is to monitor and challenge the performance of the executive directors in the interests of the firm and its stakeholders. Nonexecutive directors will need to be conversant with the management information they receive and how it facilitates this challenge. Issue 4 - October 2014 Compliance Guide to the FCA Handbook

15 SYSC 4.2 Persons who effectively direct the business SYSC R The senior personnel of a. firm,.. [should] be of sufficiently good repute and sufficiently experienced as to ensure the sound and prudent management of the firm. The text here is as the provision should be read for a credit related regulated firm, see SYSC 4.2.1A G below. SYSC 4.2.1A G Other firms should take account of the senior personnel rule (SYSC R) as if it were guidance (and as if "should" appeared in that rule instead of "must") as explained in SYSC 1 Annex G. SYSC 4.3 Responsibility of senior personnel SYSC R A firm (with the exception of a sole trader who does not employ any person who is required to be approved under section 59 of the Act (Approval for particular arrangements)), when allocating functions internally, must ensure that senior personnel and, where appropriate, the supervisory function, are responsible for ensuring that the firm Undertaking a compliance gap analysis to assess the extent to which your business meets its obligations under the FCA Handbook and where it has further work to do is a necessary first step for firms entering the FCA regime and the responsibility of senior management. Once this has been done a structured approach to compliance is appropriate to implement policies and procedures that achieve regulatory Issue 4 - October 2014 Compliance Guide to the FCA Handbook

16 complies with its obligations under the regulatory system. In particular, senior personnel and, where appropriate, the supervisory function must assess and periodically review the effectiveness of the policies, arrangements and procedures put in place to comply with the firm's obligations under the regulatory system and take appropriate measures to address any deficiencies. compliance. Firms might consider (depending upon size) a compliance policy and a documented approach to compliance with each relevant section of the Handbook such as might be achieved by using this guide. SYSC R A firm (with the exception of a sole trader who does not employ any person who is required to be approved under section 59 of the Act (Approval for particular arrangements)) and a management company, should ensure that: Text here amended to reflect applicability of this provision to credit related regulated firms as a result of SYSC 4.3.2A G below. The referred to sections are dealt with later in this guide. (1) its senior personnel receive on a frequent basis, and at least annually, written reports on the matters covered by SYSC R to SYSC R, SYSC R and SYSC R, SYSC R and SYSC R to SYSC R, indicating in particular whether the appropriate remedial measures have been taken in the event of any deficiencies; and Issue 4 - October 2014 Compliance Guide to the FCA Handbook

17 (2) the supervisory function, if any, receives on a regular basis written reports on the same matters. SYSC 4.3.2A G Other firms should take account of the written reports rule (SYSC R) as if it were guidance (and as if "should" appeared in that rule instead of "must") as explained in SYSC 1 Annex G4. SYSC G The supervisory function does not include a general meeting of the shareholders of a firm, or equivalent bodies, but could involve, for example, a separate supervisory board within a twotier board structure or the establishment of a non-executive committee of a singletier board structure. SYSC 4.4 Apportionment of responsibilities Application SYSC 4.4.1A R This section applies to: Issue 4 - October 2014 Compliance Guide to the FCA Handbook

18 (3) a credit firm which holds only a limited permission (other than a not-for-profit debt advice body) with respect to the relevant credit activity (as defined in paragraph 2G of Schedule 6 to the Act) for which it has limited permission; (5) a sole trader, but only if he employs any person who is required to be approved under section 59 of the Act (Approval for particular arrangements). In this context a credit firm means: a firm with permission to carry on a credit-related regulated activity. Note however, that this is then further limited to those credit firms which have limited permission. For firms not within these provisions the requirements on apportionment and oversight are driven by SUP. Maintaining a clear and appropriate apportionment SYSC R A firm must take reasonable care to maintain a clear and appropriate apportionment of significant responsibilities among its directors and senior managers in such a way that: 1) it is clear who has which of those responsibilities; and 2) the business and affairs of the firm can be adequately monitored and controlled by the directors, relevant senior Issue 4 - October 2014 Compliance Guide to the FCA Handbook

19 managers and governing body of the firm. Allocating functions of apportionment and oversight SYSC R A firm must appropriately allocate to one or more individuals, in accordance with the following table, the functions of: 1) dealing with the apportionment of responsibilities under SYSC R; and 2) overseeing the establishment and maintenance of systems and controls under SYSC R. For table and Q and As see SYSC 4.4.5R. SYSC 5 EMPLOYEES, AGENTS AND OTHER RELEVANT PERSONS SYSC 5.1 Skills, knowledge and expertise SYSC R A firm must employ personnel with the skills, knowledge and expertise necessary for the discharge of the responsibilities allocated to them. This is a fairly straightforward statement but it should be borne in mind that at the more senior levels firms will be expected to be able to demonstrate how they have assessed individuals as competent to perform the responsibilities allocated to them. Issue 4 - October 2014 Compliance Guide to the FCA Handbook

20 SYSC G A firm's systems and controls should enable it to satisfy itself of the suitability of anyone who acts for it. This includes assessing an individual's honesty and competence. This assessment should normally be made at the point of recruitment. An individual's honesty need not normally be revisited unless something happens to make a fresh look appropriate. This section is driving at recruitment procedures, both internal and external. Checks carried out on individuals, and interview procedures should be tailored to the scope and extent of the role. SYSC G Any assessment of an individual's suitability should take into account the level of responsibility that the individual will assume within the firm. The nature of this assessment will generally differ depending upon whether it takes place at the start of the individual's recruitment, at the end of the probationary period (if there is one) or subsequently. It would be advisable to have in place interview processes and record-keeping that will evidence how assessments are made. Those assessments will differ according to the role to be undertaken by a candidate. SYSC G The Training and Competence sourcebook (TC) contains additional rules and guidance relating to specified retail activities undertaken by a firm. Not applicable to credit related regulated activities, but see SYSC 5.1.4A below. Issue 4 - October 2014 Compliance Guide to the FCA Handbook

21 SYSC 5.1.4A G Firms which are carrying on activities that are not subject to TC may nevertheless wish to take TC into account in complying with the competence requirements in SYSC. Essentially firms may wish to set competence standards for employees and offer training to demonstrate continued competence of their staff. SYSC G The requirements on firms with respect to approved persons are in Part V of the Act (Performance of regulated activities) and SUP 10A and SUP 10B. These topics are covered in Compliance Guide issue 3. SYSC 5.1.5A G If a firm requires employees who are not subject to a qualification requirement in TC to pass a relevant examination from the list of recommended examinations maintained by the Financial Skills Partnership, the appropriate regulator will take that into account when assessing whether the firm has ensured that the employee satisfies the knowledge component of the competent employees rule. The competent employees rule is as follows: A firm which is not a common platform firm must employ personnel with the skills, knowledge and expertise necessary for the discharge of the responsibilities allocated to them. Issue 4 - October 2014 Compliance Guide to the FCA Handbook

22 Segregation of functions SYSC R A firm should ensure that the performance of multiple functions by its relevant persons does not and is not likely to prevent those persons from discharging any particular functions soundly, honestly and professionally. Text adjusted to reflect this is guidance for credit firms as per SYSC 5.1.7A G. SYSC R The senior personnel of a firm should define arrangements concerning the segregation of duties within the firm and the prevention of conflicts of interest. SYSC 5.1.7A G A conflict of interest might arise where a monitoring role (eg compliance or internal audit) reports in to a function that it is responsible for monitoring, as this might affect how it monitors the performance of the person the role reports to. Other firms should take account of the segregation of functions rules (SYSC R and SYSC R) as if they were guidance (and as if should appeared in those rules instead of must) as explained in SYSC 1 Annex G9. Issue 4 - October 2014 Compliance Guide to the FCA Handbook

23 SYSC G The effective segregation of duties is an important element in the internal controls of a firm in the prudential context. In particular, it helps to ensure that no one individual is completely free to commit a firm's assets or incur liabilities on its behalf. Segregation can also help to ensure that a firm's governing body receives objective and accurate information on financial performance, the risks faced by the firm and the adequacy of its systems. Prudential context means: in relation to activities carried on by a firm, the context in which the activities have, or might reasonably be regarded as likely to have, a negative effect on: a) the integrity of the UK financial system; or b) the ability of the firm to meet either: i. the "fit and proper" test in threshold condition 2E and 3D (Suitability); or ii. the applicable requirements and standards under the regulatory system relating to the firm's financial resources Issue 4 - October 2014 Compliance Guide to the FCA Handbook

24 SYSC G A firm should normally ensure that no single individual has unrestricted authority to do all of the following: 1) initiate a transaction; 2) bind the firm; 3) make payments; and 4) account for it. The reasons for this are self-explanatory. There should be adequate checks and balances on transactions undertaken by a business and if this cannot be done by allocating these tasks to several individuals then SYSC below requires that frequent senior management checks are undertaken. SYSC G Where a firm is unable to ensure the complete segregation of duties (for example, because it has a limited number of staff), it should ensure that there are adequate compensating controls in place (for example, frequent review of an area by relevant senior managers). Awareness of procedures SYSC R A.. firm should ensure that its relevant persons are aware of the procedures which must be followed for the proper discharge of their responsibilities. Text amended to reflect the proportionality provisions of SYSC A below. This provision is important for all and for approved persons might be the kind of enquiry undertaken in a SIF interview or supervisory visit. Issue 4 - October 2014 Compliance Guide to the FCA Handbook

25 SYSC A G Other firms should take account of the rule concerning awareness of procedures (SYSC R) as if it were guidance (and as if should appeared in that rule instead of must) as explained in SYSC 1 Annex G. General SYSC R The systems, internal control mechanisms and arrangements established by a firm in accordance with this chapter should take into account the nature, scale and complexity of its business and the nature and range of financial services and activities undertaken in the course of that business. Text amended in accordance with SYSC G. This is a fairly self-explanatory provision requiring that control mechanisms are appropriate for the scale and complexity of the individual business. SYSC R A.. firm should monitor and, on a regular basis, evaluate the adequacy and effectiveness of its systems, internal control mechanisms and arrangements established in accordance with this chapter, and take appropriate measures to address any deficiencies. Text amended to reflect SYSC G. Regular review of the adequacy of systems and controls is good business practice. Issue 4 - October 2014 Compliance Guide to the FCA Handbook

26 SYSC G Other firms should take account of the rule requiring monitoring and evaluation of the adequacy and effectiveness of systems (SYSC R) as if it were guidance (and as if should appeared in that rule instead of must) as explained in SYSC 1 Annex G. Compliance, internal audit and financial crime (SYSC 6) SYSC 6.1 Compliance SYSC R A firm must establish, implement and maintain adequate policies and procedures sufficient to ensure compliance of the firm including its managers, employees and appointed representatives (or where applicable, tied agents) with its obligations under the regulatory system and for countering the risk that the firm might be used to further financial crime. This section is looking for two things: 1) a compliance approach that deals with a firm s regulatory obligations; and 2) policies and procedures that limit the risk of the firm being used for financial crime. A compliance policy that identifies and addresses all of the regulatory obligations of the firm and how they are met is an ideal first step in regard to item 1. As for item 2, all firms are required to take steps to defend themselves against financial crime but this can be done in a variety of ways. The FCA will expect senior management to take clear responsibility for managing the risks of financial crime. Issue 4 - October 2014 Compliance Guide to the FCA Handbook

27 SYSC 6.1.1A G The FCA provides guidance on steps that a firm can take to reduce the risk that it might be used to further financial crime in FC (Financial crime: a guide for firms). SYSC R A firm should taking into account the nature, scale and complexity of its business, and the nature and range of financial services and activities undertaken in the course of that business, establish, implement and maintain adequate policies and procedures designed to detect any risk of failure by the firm to comply with its obligations under the regulatory system, as well as associated risks, and put in place adequate measures and procedures designed to minimise such risks and to enable the appropriate regulator to exercise its powers effectively under the regulatory system and to enable any other competent authority to exercise its powers effectively under MiFID or the UCITS Directive. For both firms that are new to the assessment of financial crime and those refining policies and procedures the guide referred to here, which can be found within the Regulatory Guides section of the Handbook, is a very useful source. Text amended to take account of the proportionality provision at SYSC 6.1.2A G. The scale, level of risk and complexity of the business will determine the extent of policies and procedures required to meet this guidance. Issue 4 - October 2014 Compliance Guide to the FCA Handbook

28 SYSC 6.1.2A G Other firms should take account of the adequate policies and procedures rule (SYSC R) as if it were guidance (and as if should appeared in that rule instead of must) as explained in SYSC 1 Annex G. SYSC R A. firm should maintain a permanent and effective compliance function which operates independently and which has the following responsibilities: 1) to monitor and, on a regular basis, to assess the adequacy and effectiveness of the measures and procedures put in place in accordance with SYSC R, and the actions taken to address any deficiencies in the firm's compliance with its obligations; and Text amended to reflect the proportionality provision at SYSC 6.1.3A. In the more sophisticated businesses compliance monitoring to test the policies and procedures that are in place is appropriate. Supporting those who carry out the regulated activities is a key part of a compliance function, beginning with identifying all the regulations that apply and supporting the creation of policies and procedures on doing business that achieve compliance. 2) to advise and assist the relevant persons responsible for carrying out regulated activities to comply with the firm's obligations under the regulatory system. Issue 4 - October 2014 Compliance Guide to the FCA Handbook

29 SYSC 6.1.3A G (1) Other firms should take account of the compliance function rule (SYSC R) as if it were guidance (and as if should appeared in that rule instead of must) as explained in SYSC 1 Annex G. (2) Notwithstanding SYSC R, as it applies under (1), depending on the nature, scale and complexity of its business, it may be appropriate for a firm to have a separate compliance function. Where a firm has a separate compliance function the firm should also take into account SYSC R and SYSC R as guidance. Whilst SYSC 6.1.3R is guidance for credit related regulated firms, there may still be a need for those firms to have a separate compliance function. SYSC R In order to enable the compliance function to discharge its responsibilities properly and independently, a common platform firm and a management company must ensure that the following conditions are satisfied: This provision must also be read as guidance by credit related regulated firms where they have a separate compliance function. (1) the compliance function must have the necessary authority, resources, expertise and access to all relevant information; Issue 4 - October 2014 Compliance Guide to the FCA Handbook

30 (2) a compliance officer must be appointed and must be responsible for the compliance function and for any reporting as to compliance required by SYSC R; (3) the relevant persons involved in the compliance functions should not be involved in the performance of services or activities they monitor; (4) the method of determining the remuneration of the relevant persons involved in the compliance function should not compromise their objectivity and should not be likely to do so. )Text amended here to reflect the )proportionality rule in SYSC 6.1.5R. This )recognizes that in smaller businesses this )degree of separation cannot be achieved. SYSC A G In setting the method of determining the remuneration of relevant persons involved in the compliance function: 1) firms that SYSC 19A applies to will also need to comply with the Remuneration Code; and 2) BIPRU firms1 will also need to comply with the BIPRU Remuneration Code. Issue 4 - October 2014 Compliance Guide to the FCA Handbook

31 SYSC 6.1.4A} SYSC B} Not applicable to credit firms. SYSC 6.1.4C R A debt management firm and a credit repair firm must appoint a compliance officer to be responsible for ensuring the firm meets its obligations under SYSC R for any compliance function the firm has and for any reporting as to compliance which may be made under SYSC R. SYSC R A common platform firm and a management company need not comply with SYSC R (3) or SYSC R (4) if it is able to demonstrate that in view of the nature, scale and complexity of its business, and the nature and range of financial services and activities, the requirements under those rules are not proportionate and that its compliance function continues to be effective. SYSC 6.1.4R above has been amended accordingly. Issue 4 - October 2014 Compliance Guide to the FCA Handbook

32 SYSC G Other firms should take account of the proportionality rule (SYSC R) as if it were guidance (and as if should appeared in that rule instead of must) as explained in SYSC 1 Annex G. SYSC 6.1.7R Not applicable to credit related regulated firms. SYSC 6.2 Internal audit SYSC R A firm should, where appropriate and proportionate in view of the nature, scale and complexity of its business and the nature and range of its financial services and activities, undertaken in the course of that business, establish and maintain an internal audit function which is separate and independent from the other functions and activities of the firm and which has the following responsibilities: Text amended in accordance with SYSC 6.2.1A G below. So credit related regulated firms may need to have an internal audit function depending upon the nature of their business and where this function exists, it will need to fulfil responsibilities 1 to 4 in this provision. There is an explanation of what internal audit means at SYSC 6.2.2G below. (1) to establish, implement and maintain an audit plan to examine and evaluate the adequacy and effectiveness of the firm's systems, internal control mechanisms and arrangements; Issue 4 - October 2014 Compliance Guide to the FCA Handbook

33 (2) to issue recommendations based on the result of work carried out in accordance with (1); (3) to verify compliance with those recommendations; (4) to report in relation to internal audit matters in accordance with SYSC R. SYSC 6.2.1A G Other firms should take account of the internal audit rule (SYSC R) as if it were guidance (and as if should appeared in that rule instead of must) as explained in SYSC 1 Annex G3. SYSC G The term 'internal audit function' in SYSC R (and SYSC G) refers to the generally understood concept of internal audit within a firm, that is, the function of assessing adherence to and the effectiveness of internal systems and controls, procedures and policies. The internal audit function is not a controlled function itself, but is part of the systems and controls function (CF28). Issue 4 - October 2014 Compliance Guide to the FCA Handbook

34 SYSC 6.3 Financial crime SYSC R A firm must ensure the policies and procedures established under SYSC R include systems and controls that: (1) enable it to identify, assess, monitor and manage money laundering risk; and (2) are comprehensive and proportionate to the nature, scale and complexity of its activities. The most widely recognized guidance on money laundering in the financial services sector comes from the Joint Money Laundering Steering Group which publishes comprehensive guidance on firm s obligations and identifying risk in various sectors. The JMLSG guidance on consumer credit providers was approved by HM Treasury on 29th July 2014 and can be found at SYSC G "Money laundering risk" is the risk that a firm may be used to further money laundering. Failure by a firm to manage this risk effectively will increase the risk to society of crime and terrorism. As will be seen from SYSC G below the FCA sets considerable store by the use of the JMLSG guidelines and they therefore need to be addressed. Issue 4 - October 2014 Compliance Guide to the FCA Handbook

35 SYSC R A firm must carry out a regular assessment of the adequacy of these systems and controls to ensure that they continue to comply with SYSC R. SYSC G A firm may also have separate obligations to comply with relevant legal requirements, including the Terrorism Act 2000, the Proceeds of Crime Act 2002 and the Money Laundering Regulations. SYSC R and SYSC R to SYSC G are not relevant for the purposes of regulation 242(3) or 45(2)2 of the Money Laundering Regulations, section 330(8) of the Proceeds of Crime Act 2002 or section 21A(6) of the Terrorism Act SYSC G The FCA, when considering whether a breach of its rules on systems and controls against money laundering has occurred, will have regard to whether a firm has followed relevant provisions in the guidance for the United Kingdom financial sector issued by the Joint Money Laundering Steering Group. In terms of debt collecting the debtors should have been identified by your client at the point of lending but you will need to look into this on a client by client basis. Debt collectors need to be aware of the potential signs that repayment of debt is being used for financial crime. The Law Society has given the following guidance. There are some emerging trends which highlight known warning signs that money laundering may be occurring in this context. These include: non face-to-face client, who is often quite a distance from the firm the debtor may also be quite a distance from the firm scant paperwork supporting the alleged debt the debt is settled very quickly, sometimes even before the first letter of demand the client is willing to pay your fees even though you have done very little work fees are overpaid and paid in advance, sometimes in cash and other times by fraudulent cheques the client requests the funds recovered or the overpaid part of the fees to be paid to a third party. Issue 4 - October 2014 Compliance Guide to the FCA Handbook

36 SYSC G In identifying its money laundering risk and in establishing the nature of these systems and controls, a firm should consider a range of factors, including: (1) its customer, product and activity profiles; (2) its distribution channels; (3) the complexity and volume of its transactions; (4) its processes and systems; and It is important that you are able to demonstrate that you have considered the nature of your business and its customers and identified where the risks that your business could be used for financial crime lie. From there you can create measures to mitigate that risk. It is advisable that training on money laundering is provided annually to all members of staff. The annual MLRO report to the Board should feature in your Board calendar. It will be important to minute that the board has reviewed the report and to record what action it decided to take as a result. (5) its operating environment. SYSC G A firm should ensure that the systems and controls include: (1) appropriate training for its employees in relation to money laundering; (2) appropriate provision of information to its governing body and senior management, including a report at least annually by that firm's money laundering reporting officer (MLRO) Issue 4 - October 2014 Compliance Guide to the FCA Handbook

37 on the operation and effectiveness of those systems and controls; (3) appropriate documentation of its risk management policies and risk profile in relation to money laundering, including documentation of its application of those policies (see SYSC 9); (4) appropriate measures to ensure that money laundering risk is taken into account in its day-to-day operation, including in relation to: a) the development of new products; b) the taking-on of new customers; and c) changes in its business profile; and 5) appropriate measures to ensure that procedures for identification of new customers do not unreasonably deny access to its services to potential customers who cannot reasonably be expected to produce detailed evidence of identity. In debt collection the processes for taking on new creditor customers will be key among these sections. Where creditors are themselves regulated this will be easier but firms will also need to be able to establish the bona fides of nonregulated clients. Allocating this role to a senior individual demonstrates that the firm treats it money laundering obligations seriously and therefore has them reported at the highest level. Issue 4 - October 2014 Compliance Guide to the FCA Handbook

38 SYSC R A firm must allocate to a director or senior manager (who may also be the money laundering reporting officer) overall responsibility within the firm for the establishment and maintenance of effective anti-money laundering systems and controls. This will be a key appointment and is an approved persons role. The Money Laundering Reporting Officer SYSC A firm (with the exception of a sole trader who has no employees) must: (1) appoint an individual as MLRO, with responsibility for oversight of its compliance with the FCA's rules on systems and controls against money laundering; and Reporting lines for the MLRO should be reviewed to ensure he is able to raise any concerns at an appropriate level. A direct reporting line to the Chair of the Audit Committee or Chief Executive merits consideration even if a standard reporting line remains in place. (2) ensure that its MLRO has a level of authority and independence within the firm and access to resources and information sufficient to enable him to carry out that responsibility. Issue 4 - October 2014 Compliance Guide to the FCA Handbook

39 SYSC The job of the MLRO within a firm is to act as the focal point for all activity within the firm relating to anti-money laundering. The FCA expects that a firm's MLRO will be based in the United Kingdom. Note the requirement that the MLRO is UK based. Financial crime guidance SYSC The FCA provides guidance on steps that a firm can take to reduce the risk that it might be used to further financial crime in FC (Financial crime: a guide for firms). This guidance is in the Regulatory Guides section of the FCA Handbook. SYSC 7.1 Risk control SYSC G SYSC R requires a firm to have effective processes to identify, manage, monitor and report the risks it is or might be exposed to. Issue 4 - October 2014 Compliance Guide to the FCA Handbook

40 SYSC R A firm should establish, implement and maintain adequate risk management policies and procedures, including effective procedures for risk assessment, which identify the risks relating to the firm's activities, processes and systems, and where appropriate, set the level of risk tolerated by the firm. SYSC 7.1.2A G Other firms should take account of the risk management policies and procedures rule (SYSC R) as if it were guidance (and as if should appeared in that rule instead of must) as explained in SYSC 1 Annex G. SYSC 7.1.2B G SYSC 7.1.2C G Text amended to take account of the proportionality rule SYSC 7.1.2A G below. Risk management is a key function of the FCA regime and is also likely to figure strongly in SIF interviews and supervisory visits. In larger businesses this may mean adopting a process of risk mapping/ identification. In smaller businesses it is still important to know what are the main risks facing your business and how they are mitigated. These sections do not apply to credit relate regulated firms. SYSC R A.firm should adopt effective arrangements, processes and mechanisms to manage the risk relating to the firm's activities, processes and systems, in light of that level of risk tolerance. The text of this and rule have been amended to reflect how they apply to credit related regulated firms as a result of SYSC 7.1.4B below. Issue 4 - October 2014 Compliance Guide to the FCA Handbook