The FSA’s general requirement, which applies to all organisations, states that:

“A firm must take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that the firm might be used to further financial crime.”

The FSA provide confirmation in SYSC 3.1.2 G of the variety of factors that might be taken into account and will affect the design and maintenance of an organisation’s internal controls which states:

(1) The nature and extent of the systems and controls which a firm will need to maintain under SYSC 3.1.1R will depend upon a variety of factors including:
(a) the nature, scale and complexity of its business;
(b) the diversity of its operations, including geographical diversity;
(c) the volume and size of its transactions; and
(d) the degree of risk associated with each area of its operation.

(2) To enable it to comply with its obligation to maintain appropriate systems and controls, a firm should carry out a regular review of them.

SYSC 3.2.6R sets out the general requirement applying to all organisations. It states,
“A firm must take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that the firm might be used to further financial crime.”

The rules clearly provide organisations with the latitude to design compliance systems and controls that are appropriate to their business model and unique business risks rather than providing a one size fits approach.  Further guidance is provided in SYSC 3.2.7G (1) which makes it clear that an individual organisation’s approach to its compliance arrangements will be dependent on the nature, scale and complexity of its business. The FSA will expect to see that the compliance function is staffed by an appropriate number of competent staff and that the compliance staff are both sufficiently independent to perform their duties objectively as well as having unrestricted access to the organisation’s records as well as ultimate recourse to its governing body.

As part of the FSA’s plan to introduce a single integrated prudential sourcebook, in Consultation Paper 142, it set out proposals for revised guidance applying to almost all regulated organisations on the establishment and maintenance of appropriate systems and controls. Operational risk covers matters such as the risk from employees, managing inadequacies in a organisations processes, outsourcing and business continuity management. The basic guidance is provided at SYSC  3A7.1G which states, 

“A firm should establish and maintain appropriate systems and controls for managing operational risks that can arise from inadequacies or failures in its processes and systems (and, as appropriate, the systems and processes of third party suppliers, agents and others).”

In managing its operational risk an organisation should take into account both the importance and complexity of the processes and systems it uses during the overall operating cycle for its business activities as well as the products it offers its customers. The FSA have set an expectation in SYSC 3A.7.1(3) G that it will when considering the adequacy of a organisations systems take into account whether the design and use of its processes and systems allow it to comply adequately with regulatory and other requirements.

How we can help