Finansinspektionen s Regulatory Code

Similar documents
Finansinspektionen s Regulatory Code

Finansinspektionen s Regulatory Code

SWEDEN. Mutual Evaluation Fourth Follow-Up Report - annexes. Anti-Money Laundering and Combating the Financing of Terrorism

Prudential Standard GOI 3 Risk Management and Internal Controls for Insurers

BERMUDA MONETARY AUTHORITY THE INSURANCE CODE OF CONDUCT FEBRUARY 2010

Official Journal of the European Union

STATUTORY INSTRUMENTS. S.I. No. 604 of 2017 CENTRAL BANK (SUPERVISION AND ENFORCEMENT) ACT 2013 (SECTION 48(1)) (INVESTMENT FIRMS) REGULATIONS 2017

Kenya Gazette Supplement No. 42 3rd April, (Legislative Supplement No. 19)

REGULATION. on Internal Governance Arrangements, the Management body and the Internal Capital Adequacy Assessment Process for Banks and Savings banks

Finansinspektionen s Regulations

DECREE. No. 194/2011 Coll. of 27 June 2011 on More Detailed Regulation of Certain Rules in Collective Investment PART ONE FUNDAMENTAL PROVISIONS

STATUTORY INSTRUMENTS. S.I. No. 60 of 2017 CENTRAL BANK (SUPERVISION AND ENFORCEMENT) ACT 2013 (SECTION 48(1)) (INVESTMENT FIRMS) REGULATIONS 2017

COMMISSION DELEGATED REGULATION (EU) /... of

Report on Internal Control

INVESTMENT SERVICES RULES FOR INVESTMENT SERVICES PROVIDERS

Decision on liquidity risk management. General provisions Article 1

DECISION ON RISK MANAGEMENT BY BANKS

Ordinance No. 7. Chapter One General Provisions. Chapter Two Requirements and Criteria for Organisaiton and Risk Management

Senior arrangements, Systems and Controls. Chapter 13. Operational risk: systems and controls for insurers

DECREE. No. 163/2014 Coll. on the performance of the activities of banks, credit unions and investment firms

I O S C O A N D E U B E N C H M A R K S R E G U L A T I O N S U P P L E M E N T A L D I S C L O S U R E

Annex to II.6 MANDATORY PROVIDENT FUND SCHEMES ORDINANCE (CAP. 485) INTERNAL CONTROLS OF REGISTERED SCHEMES

DECREE. No. 23/2014 Coll. on the performance of the activities of banks, credit unions and investment firms

Risk Management Policy

GUIDANCE NOTE ASSET MANAGEMENT BY AUTHORIZED INSURERS


Derivatives Risk Statement 1 st July 2016

Authorisation Requirements for Money Transmission Businesses. Authorisation Requirements and Standards for Money Transmission Businesses

CENTRALE BANK VAN ARUBA

Consultation Paper No. 7 of 2015 Appendix 4. Abu Dhabi Global Market Rulebook Market Infrastructure Rulebook (MIR)

SECURITIES CLASSIFICATION SWEDEN Liquidity Coverage Ratio (LCR)

Prudential Requirements for Electronic Money Institutions authorised under S.I. No. 183 of European Communities (Electronic Money) Regulations

Directive 2011/61/EU on Alternative Investment Fund Managers

BERMUDA INSURANCE (GROUP SUPERVISION) RULES 2011 BR 76 / 2011

Official Journal of the European Union L 341. Legislation. Non-legislative acts. Volume December English edition. Contents REGULATIONS

BAILLIE GIFFORD. Governance, Risk Management and Capital Disclosures ( Pillar 3 ) June 2017

Recognised Investment Exchanges

DECISION ON RISK MANAGEMENT BY BANKS

Prudential Standard APS 117 Capital Adequacy: Interest Rate Risk in the Banking Book (Advanced ADIs)

BAILLIE GIFFORD. Governance, Risk Management and Capital Disclosures ( Pillar 3 ) June 2018

SOLVENCY & FINANCIAL CONDITION REPORT. SureStone Insurance dac

Risk Management Policy Coface Singapore

INSURANCE CORE PRINCIPLES, STANDARDS, GUIDANCE AND ASSESSMENT METHODOLOGY

Decision on liquidity risk management. General provisions Article 1

Guidance Note Capital Requirements Directive Operational Risk

Order Execution Policy KAS BANK N.V.

Guidance Note System of Governance - Insurance Transition to Governance Requirements established under the Solvency II Directive

Decision on amendments to the Decision on risk management. Article 1

Draft. COMMISSION REGULATION (EU) No /..

TESCO PERSONAL FINANCE GROUP LTD PILLAR 3 DISCLOSURES FOR THE YEAR ENDED 28 FEBRUARY 2017

Law. on Payment Services and Payment Systems * Chapter One GENERAL PROVISIONS. Section I Subject and Negative Scope. Subject

Risk Management at Central Bank of Nepal

Sedex Membership Rules

MiFID 2/MiFIR Articles relevant to article The top 10 things every commodities firm needs to know about MiFID 2

Appendix KII Regulation

Securitization. Management exercises authority that should rest with the board or engages in activities that expose the institution to excessive risk.

LAW. on Payment Services and Payment Systems. Chapter One GENERAL PROVISIONS. Section I Subject and Negative Scope Subject.

GUIDELINES ON AUTHORISATION AND REGISTRATION UNDER PSD2 EBA/GL/2017/09 08/11/2017. Guidelines

CLIENT MONEY AND ASSETS POLICY

Report on the Thematic Review of Alternative Liquidity Pools in Hong Kong. 9 April 2018

INTEGRATED RISK MANAGEMENT GUIDELINE

CMVM Regulation no. 12/2000. Financial Intermediation

1. at least one of the entities in the group is within the insurance sector and at least one is within the banking or investment services sector;

Consultation paper on the regulation of electronic trading. 24 July 2012

7Q Financial Services Limited

COMMISSION DELEGATED REGULATION (EU) /... of

EBA FINAL draft Regulatory Technical Standards

Annex 8. I. Definition of terms

THE CROATIAN PARLIAMENT

Pillar III Disclosure Report 2017

Decision on the sale of placements by credit institutions. (Official Gazette 127/2014 and 24/2018 unofficial consolidated version)

Regulations and guidelines 1/2012

COMMISSION DELEGATED REGULATION (EU) /... of

How do the 'Good Practice Principles' apply in practice? Overview of key unit pricing issues

THE INVESTOR FOR SECURITIES COMPANY. PILLAR III DISCLOSURE As of 31 December 2017

INTERNATIONAL ASSOCIATION OF INSURANCE SUPERVISORS

Directive 2011/61/EU on Alternative Investment Fund Managers

PILLAR 3 REGULATORY DISCLOSURES REPORT AS AT 30 NOVEMBER 2017 LEUCADIA INVESTMENT MANAGEMENT LIMITED

Special Considerations in Auditing Complex Financial Instruments Draft International Auditing Practice Statement 1000

Fathom Wealth Management Advisors Ltd Risk Management Disclosures Year Ended 31 December 2017

Guidelines CSD participants default rules and procedures

STATUTORY INSTRUMENTS. SI. No. 352 of 2011 EUROPEAN COMMUNITIES (UNDERTAKINGS FOR COLLECTIVE INVESTMENT IN TRANSFERABLE SECURITIES) REGULATIONS 2011

4.0 The authority may allow credit institutions to use a combination of approaches in accordance with Section I.5 of this Appendix.

The Accreditation and Verification Regulation - Verifier s risk analysis

IOSCO Principles of Liquidity Risk Management for CIS

DB USA Corporation U.S. LIQUIDITY COVERAGE RATIO DISCLOSURES

Fathom Wealth Management Advisors Ltd Risk Management Disclosures Year Ended 31 December 2016

Capital adequacy and riskmanagement

REGULATION ON CREDIT INSTITUTION RISK MANAGEMENT

Pillar III Disclosures

CREDIT INSTITUTIONS ACT. (Official Gazette 159/2013 and 19/2015 unofficial consolidated version)

1. The following terms used in this CA will have the following meaning:

COMMISSION DELEGATED REGULATION (EU) /... of

AAS BTA Baltic Insurance Company Risks and Risk Management

Federal Act on Financial Market Infrastructures and Market Conduct in Securities and Derivatives Trading

PRA RULEBOOK: NON-CRR FIRMS: CREDIT UNIONS INSTRUMENT 2016

Swiss Federal Banking Commission Circular: Audit Reports of Banks and Securities Firms. 29 June 2005 (Latest amendment: 24 November 2005)

Quantitative and Qualitative Disclosures about Market Risk.

Solvency & Financial Condition Report. Surestone Insurance dac March

DECEMBER 2010 BASEL II - PILLAR 3 DISCLOSURES. JPMorgan Chase Bank, National Association, Madrid Branch INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS

Transcription:

Finansinspektionen s Regulatory Code Publisher: Finansinspektionen, Sweden, www.fi.se ISSN 1102-7460 Finansinspektionen s Regulations and General Guidelines regarding the management of operational risks; FFFS 2014:4 Published 17 April 2014 decided on 11 April 2014. Finansinspektionen prescribes the following pursuant to Chapter 5, Section 2, point 4 of the Banking and Financing Business Ordinance (2004:329) and Chapter 6, Section 1, points 9 to 13 of the Securities Market Ordinance (2007:572), and provides the following general guidelines. Chapter 1 Scope Section 1 These regulations include provisions on how an undertaking is to manage its operational risks. Section 2 The regulations apply to the following undertakings: 1. banking companies, 2. savings banks, 3. members banks, 4. credit market companies, 5. credit market associations, and 6. investment firms. Section 3 However, Sections 15 to 23 of Chapter 5 and Section 4, point 1 of Chapter 6 do not apply to investment firms. Section 4 The regulations contain provisions relating to the following: Scope (Chapter 1), Governance and responsibility (Chapter 2), Identification and measurement (Chapter 3), Reporting (Chapter 4), Management of operational risks in operations (Chapter 5), and Further requirements for the management of operational risks within investment services and activities and foreign exchange trading (Chapter 6). Definitions Section 5 In these regulations and general guidelines, the same definitions are used as in Chapter 1, Section 3 of Finansinspektionen s Regulations and General Guidelines (FFFS 2014:1) regarding governance, risk management and control at 1

credit institutions and Finansinspektionen s Regulations (FFFS 2007:16) governing investment services and activities, unless otherwise stated in the regulations. In addition, the following definitions apply: 1. contingency plan: a plan describing the measures that an undertaking is to take to deal with serious and extensive interruptions, disruptions or crises, 2. incident: an event that has or is at risk of having an adverse effect on the undertaking s operations, assets or reputation, 3. continuity plan: a plan describing how operations are to be maintained in the event of an interruption or a major operational disruption, 4. operational risk: the same as in Article 4.1 (52) of Regulation (EU) No 575/2013 of the European Parliament and Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012, 1 5. process: a chain of consecutive activities that produces a result based on a certain input of resources, and 6. recovery plan: a plan describing the priorities and procedures according to which an undertaking shall revert to normal operations following an interruption or major operational disruption. Chapter 2 Governance and responsibility Section 1 An undertaking shall determine a risk appetite for its operational risks. The undertaking shall have limits for its operational risks within the framework of its risk appetite. The undertaking shall use its products, services, functions, processes and IT systems as a basis for setting limits. It should be possible to use qualitative or quantitative measures to assess these limits. The undertaking shall document its risk appetite and limits. The board of directors shall decide on and regularly evaluate and if necessary update the risk appetite for operational risks. The managing director shall decide on and regularly evaluate and if necessary update the limits for operational risks. Section 2 An undertaking shall have internal rules for the management of operational risks specifying 1. the main operational risks to which the undertaking is exposed, 2. first the methods and processes used to identify, measure and manage operational risks that also take into account infrequent incidents of a serious nature, and second procedures for managing the risk that these methods may potentially yield erroneous results, and 3. the undertaking s procedures for determining and monitoring the risk appetite and limits under Section 1. 2 1 Cf. Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1, Celex 32013R0575).

If the undertaking uses risk transfer in the course of its management of operational risks, the principles for this should be specified in its internal rules. The board of directors shall decide on the internal rules. The undertaking shall observe the nature, scope and complexity of the operations Outsourcing agreements Section 3 Provisions regarding outsourcing agreements are provided in Chapter 9 of Finansinspektionen s Regulations (FFFS 2007:16) governing investment services and activities, and Chapter 10 of Finansinspektionen s Regulations and General Guidelines (FFFS 2014:1) regarding governance, risk management and control at credit institutions. Chapter 3 Identification and measurement Section 1 An undertaking shall identify operational risks in its products, services, functions, processes and IT systems. Section 2 An undertaking shall have methods to identify and measure its operational risks. These methods shall be documented. Section 3 An undertaking shall regularly measure the operational risks under Section 1 by assessing the likelihood of them occurring and what impact they would have. The undertaking shall also determine the measures to be taken to manage these risks. Risk indicators Section 4 An undertaking shall determine and document indicators and thresholds for its operational risks that provide a warning when risks increase. The undertaking shall regularly review and, if necessary, update these indicators and thresholds. 3

General guidelines Examples of indicators that the undertaking should consider: 1. frequent reorganisations or major operational changes, 2. high staff turnover, 3. large number of vacant posts, 4. large number of customer complaints, 5. that the number of incidents has increased or the type of incidents has changed, and 6. that the internal audit function has reported deficiencies in the internal rules. Incidents Section 5 An undertaking shall have internal rules to manage incidents arising in its operations. Section 6 An undertaking shall document and analyse an incident when it occurs. The undertaking shall also document the losses that have arisen in conjunction with the incident. The undertaking shall have procedures in place to ensure that this information is correct. This does not apply to an incident reported anonymously. The undertaking shall use the information in the first paragraph when identifying and measuring operational risks under Section 3. Chapter 4 Reporting Section 1 When reporting operational risks to the board of directors and managing director, an undertaking shall specify 1. indicators for operational risks under Chapter 3, Section 4, 2. breaches of risk appetite and risk limits under Chapter 2, Section 1, and 3. serious incidents. The undertaking shall also report the results from tests of the contingency, continuity and recovery plans to the board of directors at least once a year. when applying the first and second paragraphs. Chapter 5 Management of operational risks in operations Processes Section 1 An undertaking shall determine and specify in a list its operating processes that are of material significance. This list shall be regularly reviewed and updated if necessary. Section 2 An undertaking shall document the processes under Section 1 and appoint a person or function to be responsible for each such process. 4

Section 3 An undertaking shall specify in internal rules how to document the processes under Section 1 and how operational risks in these processes is to be managed. General guidelines The undertaking should describe the following in the process documentation under Section 2 1. which rules affect the design of the process, 2. the process s main activities and their relationship(flowcharts), 3. the information used in the activities under 2, 4. the quality requirements imposed on the information under 3, 5. which IT systems support the process, 6. at which point controls are carried out and decisions made in the process, 7. stakeholders to the process, e.g. staff, customers, public authorities, subcontractors and other undertakings, and 8. the output of the process, e.g. a service, product or other output. Section 4 An undertaking shall have procedures in place to analyse whether there are activities in the processes under Section 1 where there is a risk of significant losses due to, for example, mistakes, manipulation of information and also the potential to hide erroneous assessments and losses. The undertaking shall introduce the necessary controls in the processes if it identifies such activities. The procedures under the first paragraph shall be documented. when applying the first and second paragraphs. Staff Section 5 An undertaking shall have procedures in place for how to manage operational risks with regard to its staff, stating how the undertaking 1. verifies essential information, taking particular account of the risk of conflicts of interest in conjunction with the undertaking employing new staff, 2. ensures that it has sufficient staff in relation to the work duties, 3. evaluates whether it has any staff with such expertise or that occupy such a function that they are difficult to replace at short notice, and appoints replacements for such staff, 4. determines requirements for expertise and knowledge for staff and also ensures that their expertise and knowledge are maintained, 5. determines and updates job descriptions, mandates and limits, 5

6. deals with the duty of confidentiality regulated in Chapter 1, Section 10 of the Banking and Financing Business Act (2004:297) and Chapter 1, Section 11 of the Securities Market Act (2007:528), and 7. identifies and manages operational risks that may arise in conjunction with staff internally changing work duties or organisational unit. 6

Legal risks Section 6 An undertaking shall specify in internal rules how it manages legal risks. The internal rules shall specify how the undertaking 1. ensures that its operations comply with laws, statutes and other regulations, 2. ensures and follows up the accuracy and validity of contracts entered into or other legal documents concluded, 3. archives contracts and other legal documents, and 4. manages and follows up legal processes. The internal rules under the first paragraph shall also specify which person or function is responsible for the management of 1 to 4. Security work Section 7 An undertaking shall have internal rules for security work that include information about which assets and values are to be protected. The undertaking shall specify measures to be taken to protect these assets and values and also the extent of these measures. General guidelines The undertaking should use scenarios or simulations in its security work to increase awareness of how different types of threat, impropriety and criminal act may arise in the undertaking s operations. Section 8 Provisions on information security are provided in Chapter 2 of Finansinspektionen s Regulations and General Guidelines (FFFS 2014:5) regarding information security, IT operations and deposit systems. IT systems Section 9 Provisions on how an undertaking is to manage IT systems are provided in Chapter 3 of Finansinspektionen s Regulations and General Guidelines (FFFS 2014:5) regarding information security, IT operations and deposit systems. Approval process Section 10 An undertaking shall have a process in place to approve new or materially altered products, services, markets, processes and IT systems and also in the event of major changes to the undertaking s operations and organisation. Section 11 An undertaking shall describe the approval process under Section 10 in internal rules. The internal rules shall also specify 7

1. what the undertaking means by new or materially altered, existing products, services, markets, processes, IT systems and major changes to the undertaking s operations and organisation, and also 2. the functions and units that are to participate in the process. When producing the internal rules, the undertaking shall consider the nature, scope and complexity of the operations Section 12 An undertaking shall ensure that the approval process under Section 10 has the following components: 1. controls to ensure compliance with applicable rules, 2. analysis of whether the undertaking s risk levels may increase or if new risks may arise and whether this could affect the undertaking s capital requirements, 3. controls to ensure that there are sufficient staff and access to expertise, internal rules, tools and processes in business units and also support and control functions to be able to understand and monitor the risks, and 4. documentation of approval decisions stating the considerations on which the decision was based. Section 13 The risk control function shall determine whether the process under Section 10 is to apply if this has not been specified in the internal rules under point 1 of Section 11. Section 14 When an undertaking decides on a new product, service, market, process or IT system, it shall determine which person or function is to be responsible for managing the risks associated therewith. Continuity management Section 15 An undertaking shall specify the following in its internal rules for continuity management: 1. the methods and procedures that the undertaking is to follow to have properly functioning continuity management. These methods and procedures shall include contingency, continuity and recovery plans, 2. officers responsible (roles and positions) for steering operations and for deciding on measures in the event of an interruption or major operational disruption, and 3. principles for managing and making decisions on measures depending on the type and scope of interruption or major operational disruption. The managing director shall decide on the internal rules. Section 16 An undertaking shall determine the longest period permitted for an interruption for each process under Chapter 5, Section 1. 8

Impact analysis and recovery planning Section 17 An undertaking shall regularly analyse the impact of such interruptions or major operational disruptions that may occur in the undertaking s operations and also in the operations that the undertaking has engaged another party to perform. Section 18 The impact analysis under Section 17 shall be conducted at all business units and support functions considering their interdependence. An undertaking shall use the analysis as a basis for 1. determining the undertaking s priorities and goals in order to revert to normal operations after an interruption or major operational disruption, and 2. producing contingency, continuity and recovery plans. The plans under 2 shall be documented. Section 19 An undertaking shall ensure that its main data centre is at a sufficient geographical distance from the location where the undertakings stores its back-up copies. General guidelines If the undertaking has an alternative data centre, it should ensure that this is not dependent on the same physical infrastructure as the main data centre, and that data together with back-up copies that are stored at both data centres cannot be destroyed simultaneously. Communication and training Section 20 An undertaking shall have procedures to manage its internal and external communications in conjunction with an interruption or major operational disruption. When planning its communications, the undertaking shall also consider that an interruption or disruption may have a significant impact on the activity of subsidiaries or branches or affect the financial system in some other way. Section 21 An undertaking shall regularly train and inform its staff about how to use contingency, continuity and recovery plans. Updating and testing of plans Section 22 An undertaking shall regularly update and test its contingency, continuity and recovery plans so that they are adapted to its operations and the priorities for reverting to normal operations under Section 18. The undertaking shall appoint a person or function to be responsible for updating and testing each such plan. Section 23 An undertaking shall determine the following in its internal rules for continuity management under Section 15: 1. what kinds of test it will perform under Section 22, and 2. how often the tests are to be performed. 9

Contingency, continuity and recovery plans for processes under Chapter 5, Section 1 and also the IT systems supporting these processes shall be tested at least once a year. Chapter 6 Further requirements for the management of operational risks within investment services and activities and foreign exchange trading Section 1 The provisions of this chapter shall, in addition to those stated in Chapters 1 to 5, be applied at undertakings authorised to provide investment services and perform investment activities under Chapter 2, Section 1, points 2 3 of the Securities Market Act (2007:528) and by undertakings that engage in foreign exchange trading under Chapter 7, Section 1, point 12 of the Banking and Financing Business Act (2004:297). Segregation of duties Section 2 An undertaking shall ensure that the work duties of staff who initiate and execute business transactions and staff whose work involves supporting, verifying and monitoring these transactions are kept separated. Staff Section 3 An undertaking shall ensure that staff who deal with business transactions for a period of at least ten consecutive working days in a twelve-month period are not able to 1. initiate and execute business transactions, 2. approve or confirm business transactions, or 3. process payments linked to business transactions. Transaction management Section 4 An undertaking shall ensure that 1. there is a complete and documented verification chain for each transaction and that this verification chain ensures traceability that enables follow up in relation to each trader, 2. there are documented procedures and controls throughout the entire chain from the opening of a business relationship to the settlement of transactions executed, 3. terms and conditions for the transaction are documented and confirmed before trading starts, 4. staff who initiate and execute business transactions, provide the support functions with the information and documentation required as soon as possible after the finalisation of a transaction so that they can reconcile, confirm, settle and verify the transaction, 5. procedures are established to manage and report transactions that have been executed incorrectly, 10

6. procedures are established to manage and report unconfirmed transactions as well as to review them on a daily basis, and 7. reconcile transactions, payments and positions on a daily basis. Reconciliation under 7 shall also include amendments and cancellations Managing collateral Section 5 An undertaking shall have procedures in place] to manage and control the collateral provided in conjunction with transactions and positions. Section 6 An undertaking shall ensure that procedures are established for verifying the availability within counterparty limits before these are used in conjunction with trading. Monitoring and control Section 7 In the event of material deviations or unreasonable results during trading, an undertaking shall analyse whether these have been caused by mistakes, irregularities or other occurrences in its operations. Section 8 An undertaking shall review and reconcile all of its accounts on an ongoing basis. Section 9 An undertaking shall verify the value of its net positions and the transactions that give rise to them. Section 10 An undertaking shall determine and regularly follow up limits for its positions. The undertaking shall set the limits so that they can be followed up and controlled. Section 11 An undertaking shall check at least on a quarterly basis that access permissions for the IT systems that are used in its operations are restricted to needs based on work duties allocated. These regulations and general advice shall enter into force on 1 June 2014. MARTIN ANDERSSON Agnieszka Arshamian 11

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback