5. SYSTEMS AND CONTROLS

5.1. General requirements

5.1.1. Requirement to maintain systems and controls

An Authorised Person must establish and maintain systems and controls, including but not limited to financial and risk systems and controls that ensure that its affairs are managed effectively and responsibly by its senior management.

5.1.2. Review of systems and controls

An Authorised Person must undertake regular reviews of its systems and controls.

5.1.3. Business plan and strategy

(1) An Authorised Person must produce a business plan which enables it, amongst other things, to manage the risks to which it and its Clients are exposed.

(2) The business plan must take into account the Authorised Person's current business activities and the business activities forecast for the next twelve months.

(3) The business plan must be documented and updated as appropriate to take account of changes in the business environment and to reflect changes in and the complexities of the business of the Authorised Person.

5.1.4. Prevention of market abuse, financial crime and other illegal conduct

An Authorised Person must establish and maintain systems and controls that ensure, as far as reasonably practical, that the Authorised Person and its Employees do not engage in conduct, or facilitate others to engage in conduct, which may constitute:

(a) Market Abuse, wherever committed;
(b) a Financial Crime under any applicable laws; or
(c) a contravention of applicable Regulations or Rules.

5.2. Outsourcing

5.2.1. Responsibility for compliance

An Authorised Person which outsources any of its functions or activities directly related to Regulated Activities or Market Activities to a service provider (including a service provider within its Group) is not relieved of its regulatory obligations and remains responsible for compliance with the Framework Regulations and Rules.

5.2.2. Outsourced function deemed to be carried on by Authorised Person

The outsourced function under GEN 5.2.1 shall be deemed to be carried out by the Authorised Person itself.

5.2.3. Due diligence and supervision

An Authorised Person which uses a service provider as referred to in GEN 5.2.1 must ensure that it:

(a) has undertaken due diligence in choosing a suitable service provider;
(b) effectively supervises the outsourced functions or activities; and
(c) deals effectively with any act or failure to act by the service provider that leads, or might lead, to a breach of any Regulations or Rules.

5.2.4. Notification of AFSA of material outsourcing arrangements

An Authorised Person must inform the AFSA about any material outsourcing arrangements.

Guidance: material outsourcing arrangement An outsourcing arrangement will be considered to be material if it is a service of such importance that weakness or failure of that service would cast serious doubt on the Authorised Person's continuing ability to remain fit and proper or to comply with the Framework Regulations and Rules administered by the AFSA.

5.2.5. Material outsourcing arrangements

An Authorised Person which has a material outsourcing arrangement must:

(a) establish and maintain comprehensive outsourcing policies, contingency plans and outsourcing risk management programmes;
(b) enter into an appropriate and written outsourcing contract; and
(c) ensure that the outsourcing arrangements neither reduce its ability to fulfil its obligations to Clients and the AFSA, nor hinder supervision of the Authorised Person by the AFSA.

5.2.6. Terms of outsourcing contracts

An Authorised Person must ensure that the terms of its outsourcing contract with each service provider under a material outsourcing arrangement require the service provider to:

(a) provide information and documents where required by the AFSA under section 96 of the Framework Regulations; and
(b) deal in an open and co‐operative way with the AFSA.

5.3. Corporate governance

5.3.1. Governing Body

An Authorised Person must have a Governing Body that meets the requirements of GEN 5.3.2 (membership), 5.3.3 (responsibilities) and 5.3.4 (competence, training and access to information).

5.3.2. Governing Body – membership

An Authorised Person’s Governing Body must comply with the requirements set out below:

(a) the composition of the Governing Body of an Authorised Person must reflect an adequately broad range of experience;
(b) the Governing Body must possess adequate collective knowledge, skills and experience in order to understand the Authorised Person’s activities and risks; and
(c) members of the Governing Body must:

(i) commit sufficient time to perform their functions on the Governing Body; and

(ii) act with honesty, integrity and independence of mind; and

(iii) effectively assess and challenge, where necessary, the decisions of the senior management, and oversee and monitor decision making.

5.3.3. Governing Body – responsibilities

The Governing Body of an Authorised Person must:

(a) define and oversee the implementation of governance arrangements that ensure the effective and prudent management of the Authorised Person in a manner which promotes the integrity of the market, which at least must include: the segregation of duties in the organisation; and the prevention of conflicts of interest in its operation;
(b) monitor and periodically assess the effectiveness of the Authorised Person’s governance arrangements; and
(c) take appropriate steps to address any deficiencies found as a result of the monitoring under sub-paragraph (b).

5.3.4. Governing Body – competence, training and access to information

An Authorised Person must:

(a) devote adequate human and financial resources to the induction and training of members of the Governing Body;
(b) ensure that the Governing Body has access to the information and documents it requires to oversee and monitor management decision-making; and
(c) engage a broad set of qualities and competences when recruiting Persons to the Governing Body, and for that purpose have a policy promoting diversity on the management body; and
(d) notify the AFSA of the identity of all the members of its Governing Body.

5.3.5. Senior management

An Authorised Person must ensure that the senior management of the Authorised Person have clear responsibility for the day‐to‐day management of the Authorised Person's business in accordance with the business objectives and strategies approved or set by the Governing Body.

5.3.6. Management information

An Authorised Person must establish and maintain arrangements to provide its Governing Body and senior management with the information necessary to organise, monitor and control its activities, to comply with all relevant Regulations and Rules and to manage risks. The information must be relevant, accurate, comprehensive, timely and reliable.

5.3.7. Remuneration structure and strategy

The Governing Body of an Authorised Person must ensure that the Remuneration structure and strategy of that Authorised Person:

(a) are consistent with the business objectives and strategies and the identified risk parameters within which the Authorised Person's business is to be conducted;
(b) provide for effective alignment of risk outcomes and the roles and functions of the Employees, taking account of:

(i) the nature of the roles and functions of the relevant Employees; and

(ii) whether the actions of the Employees may expose the Authorised Person to unacceptable financial, reputational and other risks;

(c) at a minimum, include the members of its Governing Body, the senior management, Approved Individuals and any Designated Individuals; and
(d) are implemented and monitored to ensure that they operate, on an on‐going basis, effectively and as intended.

5.4. Compliance

5.4.1. Requirement to maintain compliance arrangements

An Authorised Person must establish and maintain compliance arrangements, including processes and procedures that ensure and evidence, as far as reasonably practicable, that the Authorised Person complies with all relevant Regulations and Rules.

5.4.2. Documentation of compliance arrangements

An Authorised Person must document the organisation, responsibilities and procedures of the compliance function.

5.4.3. Compliance Officer – sufficient resources

An Authorised Person must ensure that the Compliance Officer has access to sufficient resources, including an adequate number of competent staff, to perform his duties objectively and independently of operational and business functions.

5.4.4. Compliance Officer – access to records and management

An Authorised Person must ensure that the Compliance Officer has unrestricted access to relevant records and to the Authorised Person’s Governing Body and senior management.

5.4.5. Monitoring and reporting arrangements

An Authorised Person must establish and maintain monitoring and reporting processes and procedures to ensure that any compliance breaches are readily identified, reported and promptly acted upon.

5.4.6. Documentation of monitoring and reporting arrangements and breaches

An Authorised Person must document the monitoring and reporting processes and procedures as well as keep records of breaches of any relevant Regulations or Rules.

5.5. Internal audit

5.5.1. Requirement to maintain internal audit function

An Authorised Person must establish and maintain an internal audit function with responsibility for monitoring the appropriateness and effectiveness of its systems and controls.

5.5.2. Independence of internal audit function

An Authorised Person must ensure that its internal audit function is independent from operational and business functions.

5.5.3. Access to records and resources

An Authorised Person must ensure that its internal audit function has unrestricted access to all relevant records and recourse when needed to the Authorised Person's Governing Body or the relevant committee, established by its Governing Body for this purpose.

5.5.4. Documentation of organisation, responsibilities and procedures

An Authorised Person must document the organisation, responsibilities and procedures of the internal audit function.

5.6. Conflicts of interest

5.6.1. Identification of conflicts of interest

An Authorised Person or Ancillary Service Provider must take all reasonable steps to identify conflicts of interest that may arise between:

(a) the Authorised Person or Ancillary Service Provider, including its managers and Employees, and the Clients of the Authorised Person or Ancillary Service Provider, or any Person directly or indirectly linked to the Ancillary Service Provider by control; or
(b) one Client of the Authorised Person or Ancillary Service Providerand another Client, in the course of the Authorised Person carrying on any Regulated Activity or Market Activity, or Ancillary Service Provider carrying on Ancillary Services.

5.6.2. Factors relevant to the existence of a conflict of interest in the provision of a service

For the purposes of identifying the types of conflict of interest that arise, or may arise, in the course of providing a service and whose existence may entail a material risk of damage to the interests of a Client, an Authorised Person or Ancillary Service Provider must take into account, as a minimum, whether the Authorised Person or Ancillary Service Provider, or a Person directly or indirectly linked by control to the Authorised Person or Ancillary Service Provider:

(a) is likely to make a financial gain, or avoid a financial loss, at the expense of the Client; or
(b) has an interest in the outcome of a service provided to the Client or of a transaction carried out on behalf of the Client, which is distinct from the Client's interest in that outcome; or
(c) has a financial or other incentive to favour the interest of another Client or group of Clients over the interests of the Client; or
(d) carries on the same business as the Client; or
(e) receives or will receive from a Person other than the Client an inducement in relation to a service provided to the Client, in the form of monies, goods or services, other than the standard commission or fee for that service.

5.6.3. Management of conflicts of interest

If arrangements made by an Authorised Person or Ancillary Service Provider to manage conflicts of interest are not sufficient to ensure, with reasonable confidence, that risks of damage to the interests of a Client will be prevented, the Authorised Person or Ancillary Service Provider must clearly disclose the general nature and/or sources of conflicts of interest to the Client before undertaking business for the Client.

5.6.4. Disclosure of conflicts of interest

The disclosure in GEN 5.6.3 must:

(a) be made in a durable medium; and
(b) include sufficient detail, taking into account the nature of the Client, to enable that Client to take an informed decision with respect to the service in the context of which the conflict of interest arises.

5.7. Information barriers

5.7.1. Establishment of information barriers

When an Authorised Person establishes and maintains an information barrier (that is, an arrangement that requires information held by an Authorised Person in the course of carrying on one part of the business to be withheld from, or not to be used for, Persons with or for whom it acts in the course of carrying on another part of its business) it may:

(a) withhold or not use the information held; and
(b) for that purpose, permit Employees in the first part of its business to withhold the information held from Employees in the other part of the business, but only to the extent that the business of one of those parts involves the carrying on of Regulated Activities or Market Activities.

5.7.2. Information barriers with a group

Information may also be withheld or not used by an Authorised Person when this is required by an established arrangement maintained between different parts of the business (of any kind) in the same group.

5.7.3. Relevance of information barrier to Market Abuse

Acting in conformity with GEN 5.7.1 and 5.7.2 does not amount to Market Abuse.

5.7.4. Effect of information barrier

When an Authorised Person manages a conflict of interest using the arrangements in GEN 5.7.1 and 5.7.2 which take the form of an information barrier, individuals on the other side of the information barrier will not be regarded as being in possession of knowledge denied to them as a result of the information barrier.

5.8. Management of risks

5.8.1. Operational risk

An Authorised Person must establish a robust operational risk management framework with appropriate systems and controls to identify, monitor and manage operational risks that key participants, other Authorised Persons, service providers (including outsources) and utility providers might pose to itself.

5.8.2. Legal risk

An Authorised Person must have a well‐founded, clear, transparent, and enforceable legal basis for each material aspect of its activities in all relevant jurisdictions.

5.8.3. Fraud risk

An Authorised Person must establish and maintain effective systems and controls to:

(a) deter and prevent suspected fraud against the Authorised Person; and
(b) report suspected fraud and other financial crimes to the AFSA and other relevant authorities.

5.8.4. Business continuity plan

An Authorised Person must have a business continuity plan, which is subjected to periodic review and scenario testing, that addresses events posing a significant risk of disrupting operations, including events that could cause a widespread or major disruption.

5.9. Recordkeeping

5.9.1. Record keeping obligation

An Authorised Person or Ancillary Service Provider must make and retain records of matters and dealings, including Accounting Records and corporate governance practices which are the subject of requirements and standards under the Framework Regulations and Rules.

5.9.2. Retrieval of records

An Authorised Person or Ancillary Service Provider must ensure that records stored pursuant to GEN 5.9.1 are capable of reproduction on paper within a reasonable period not exceeding five Business Days.