A firm must establish, implement and maintain adequate policies and procedures to ensure that the firm complies with its regulatory responsibilities and for countering the risk of financial crime. These processes should ensure compliance at all levels of the firm, including managers, employees and appointed representatives.
The firm should maintain a permanent and effective compliance function/role (this may however just be one person with responsibility for compliance monitoring). This function/role should:
- be responsible for monitoring the firm’s compliance;
- assess the adequacy and effectiveness of processes and procedures; and
- advise and assist managers, employees and appointed representatives who are responsible for carrying out any regulated activity. This function or person should ensure that:
- all employees are trained and understand what they should do, how they should do it and when it needs to be completed by;
- procedures should be documented and available to all members of staff; and
- compliance should be monitored and any breaches need to be:
– reported;
– investigated to identify root cause; and
– actions put in place to rectify the situation and also to ensure that it will not happen again.
Samples of a compliance breach report and compliance log are included in the template section end of this chapter (SYSC Templates 4 and 5). Also included in this section (SYSC Template 6) is a “Compliance activity log”, which details common compliance activities that need to be carried out during the year, a Compliance Monitoring Programme (SYSC Template 6a) that outlines the monitoring that a firm should be undertaking and a Regulatory Requirements Checklist (SYSC Template 8) which identifies each requirement that a firm needs to have.
It may be appropriate for a firm to have a separate compliance function. If they do then they should ensure that:
- organisation and responsibilities are documented;
- it is staffed by an appropriate number of competent staff who have the necessary expertise, authority and access to all relevant material to enable them to undertake their role;
- compliance staff are not involved in the performance of the services which they are monitoring;
- a compliance officer is appointed with responsibility for the compliance function and producing the necessary reports to the governing body;
- the method of remunerating the compliance staff must not compromise their objectivity; and
- it is adequately resourced.
Internal audit (SYSC 6.2)
Dependent on the size, nature and complexity of the organisation it may be necessary to arrange and establish an internal audit function, which is separate and independent from the other functions of the firm. This function would have the following responsibilities:
- establish, implement and maintain an audit plan to evaluate the firm’s adequacy and effectiveness of their systems and controls;
- issue recommendations based on the result of any audits undertaken;
- verify compliance with those recommendations; and
- produce the annual compliance report to the governing body.
A regulatory requirements checklist and an audit checklist is included in the template section at the end of this chapter (SYSC Templates 8 and 9). A compliance activity log detailing common compliance activities that need to be carried out during the year is also included in this section (SYSC Template 6).