Management, Supervision, and Internal Control Standards for entities licensed by the Capital Markets Authority (CMA)

Introduction and regulatory objective of the Standards

The Internal Control Standards has been developed by CMA in accordance with section 11(3) (e), (f) and (w) of the Capital Markets Act to ensure the proper conduct of a licensed or an approved business and:

1. to ensure, on a continuous basis and on a timetable determined by CMA, that licensed entities which are members of a Self Regulatory Organization (SRO) (exchange or a clearing house) or other entities undertaking licensed activities, are complying with the applicable laws, rules and regulations and that such compliance provides assurance of: a) the ability to carry on the business in an orderly and efficient manner; b) safeguarding its assets and assets of its clients; c) maintenance of proper records and the reliability of financial and other information used within and published by the business; d) compliance with all applicable laws and regulatory requirements; and e) the completeness and competency of the compliance function of the firm;

2. to achieve an appropriate level of comfort that a licensed person is in compliance with the requirements of CMA and will utilise a variety of resources and tools, including assessment questionnaires submitted to licensed entities as well as on site and off site inspections either by CMA staff or by third parties instructed by CMA. Third Party inspections may include those by Self-Regulatory Organisations (SROs) and compliance teams or independent accounting or legal firms instructed by CMA.

Review Process

1. The review process will entail gaining an understanding of securities related businesses and organizational structure of the firm. CMA may consider the following in the process of review: a) What is the board and senior management involvement in compliance setting and monitoring? b) What is the tone from the top? Do they promote a strong and proactive culture of compliance in the firm in setting overall compliance policy? Do they recognize the high priority of compliance and actively work with senior compliance officers? c) Evaluating how the firm fulfils its compliance responsibilities: The independent oversight of compliance by the firm and its employees; and compliance functions including coverage, resources, systems, and communications with the board and senior management; experience and independence of personnel with compliance responsibility; a review of employee supervision including hiring, registration, licensing, continuing education, personal trading, and training. d) a review of the supervisory structure; e) written supervisory procedures including front line supervision and branch office supervision; f) an evaluation of how the firm identifies and addresses compliance risks including how it assesses its own compliance program including branch examinations, audits, new product reviews, surveillance, and attitude to whistle-blowing; g) a risk management review which looks to ensure that risk (credit, market, legal and operational risks) is identified, assessed, monitored, and controlled within the licensed firm.

2. There is no standardized blueprint for assuring compliance within a licensed firm and compliance may be accomplished through a centralized department or dispersed among various control units.

3. The design and implementation of compliance system of a firm must take into account factors such as size and geographic dispersion, types of business activities, products offered and customers of the firm, operations and technology, legal and regulatory issues, market conditions, and other relevant factors.

4. Compliance must be viewed as constantly evolving - as the environment changes, or as better practices come to light, firms should change their compliance systems accordingly to maintain the highest level of appropriate compliance controls.

5. In addition to considering the internal controls, systems and the risk management controls deployed by the firm, CMA will supplement such reviews by assessing, as necessary: Business Matters, Industry Developments, Complaints and Compliance Exceptions, and Problems with the Compliance Program.

I. MANAGEMENT AND SUPERVISION

OBJECTIVE To ensure that an effective management and organisational structure, which ensures the operations of the business are conducted in a sound, efficient and effective manner is established, documented and maintained.

Control Standards

1. The Management shall assume full responsibility for the operations of the firm including the development, implementation and on-going effectiveness of the internal controls of the firm and the adherence thereto by its directors and employees.
2. The Management shall ensure that regular and effective communication occurs within the firm to ensure that the Management is continually and timely appraised of the status of the operations and financial position of the firm, including qualitative and quantitative risks posed thereto or weaknesses detected therein, non-compliance with legal and regulatory requirements and the overall adherence to the defined business objectives of the firm.
3. The Management shall ensure that reporting lines are clearly identified with supervisory and reporting responsibilities assigned to the appropriate staff member(s).
4. The Management shall ensure that detailed policies and procedures pertaining to authorisations and approvals, as well as the authority of key positions are clearly defined and communicated to and adhered to, by staff.
5. The Management shall ensure that the management and supervisory functions of the firm are performed by qualified and experienced individuals.

II. SEGREGATION OF DUTIES AND FUNCTIONS

OBJECTIVE To ensure that key duties and functions are appropriately segregated, particularly those duties and functions which when performed by the same individual may result in undetected errors or may be susceptible to abuses which may expose the firm or its clients to inappropriate risks.

Control Standards

1. The Management shall ensure that, where practicable, policy formulation, supervisory and other internal review or advisory functions, including, where applicable, compliance and internal audit, are effectively segregated from line operational duties. Such segregation serves to ensure the effectiveness of supervisory and other internal controls established by the Management.
2. The Management shall ensure that operational functions including, but not limited to, sales, dealing, accounting and settlement are, where practicable, effectively segregated to minimize the potential for conflicts, errors or abuses which may expose the firm or its clients to inappropriate risks. The Management should ensure that special care is taken to ensure that the sales and dealing functions are segregated from the research function where possibility of potential conflict of interest exists. Where practicable, the research and the corporate finance functions should be segregated to ensure the objectivity of the research function.
3. The Management shall ensure that the compliance and internal audit functions should be effectively segregated and independent from the operational and related supervisory functions, and report directly to the Board.

III. PERSONNEL AND TRAINING

OBJECTIVE To ensure that appropriate personnel recruitment and training policies are established with adequate consideration given to training needs to ensure compliance with the operational, internal control policies and procedures of the firm, and all applicable legal and regulatory requirements to which the firm and its employees are subject to.

Control Standards

1. The Management shall implement procedures to ensure that the firm employs persons who are fit and proper to perform the duties for which they are employed and that such persons are duly registered with all applicable regulatory bodies as required.
2. The management shall ensure that all staff and other persons performing services on behalf of the firm are provided with adequate and up-to-date documentation regarding the policies and procedures of the firm which should include those relating to internal controls and personal dealing.
3. The Management shall ensure that adequate training suitable for specific duties which staff member(s) perform is provided both initially and on an ongoing basis. A training programme of the firm should ensure that staff possesses or acquires appropriate and practical experience through "on-the-job" training and where appropriate, structured courses.

IV. INFORMATION MANAGEMENT

OBJECTIVE To ensure that policies and procedures are established to ensure integrity, security, availability, reliability and thoroughness of all information, including documentation and electronically stored data, relevant to the business operations of the firm.

Control Standards

1. The Management shall ensure that the management of information, both in physical and electronic form, is assigned to a qualified and experienced staff member(s).
2. The Management shall ensure that the operating and information management systems of the firm (including electronic data processing ("EDP") systems) meet the needs of the firm and operate in a secure and adequately controlled environment.
3. The Management shall ensure that information management reporting requirements are clearly defined to ensure the adequacy and timeliness of production of required internal and external reports including those required by relevant regulatory and self-regulatory bodies.
4. The management shall ensure that key components of the information management system design and implementation programme are adequately documented and regularly reviewed for effectiveness.
5. The Management shall ensure that appropriate and effective EDP and data security policies and procedures are implemented to prevent and detect the occurrence of errors, omissions or unauthorised insertion, alteration or deletion of, or intrusion into, the data processing system of the firm (electronic or otherwise) and data (covering all confidential information in the possession of the firm, such as clients' personal and financial information and price sensitive information).
6. The Management shall establish and maintain effective record retention policies which ensure that all relevant legal and regulatory requirements are complied with, and which enable the firm, its auditors and other interested parties, for example exchanges, clearing houses and the Authority to carry out routine and ad hoc comprehensive reviews or investigations.

V. COMPLIANCE

OBJECTIVE To ensure that policies and procedures are established and maintained to ensure compliance of the firm with all applicable legal and regulatory requirements as well as with the internal policies and procedures of the firm.

Control Standards

1. The Management shall establish and maintain an appropriate and effective compliance function within the firm which, subject to constraint of size, is independent of all operational and business functions, and which reports directly to Management.
2. The Management shall ensure that staff performing the compliance function possesses the necessary skills, qualifications and experience to enable them to effectively execute their duties.
3. The Management shall establish and enforce clear policies to ensure that the compliance function covers all relevant aspects of the firm's operations, including the unfettered access to necessary records and documentation.
4. The Management, in conjunction with the staff performing the compliance function, shall establish, maintain and enforce effective compliance procedures.
5. The Management shall establish, maintain and enforce policies and procedures to ensure the proper handling of complaints from clients and that appropriate remedial action is promptly taken.
6. Staff performing the compliance function shall promptly report to the Management all occurrences of material non-compliance by the firm or its staff with legal and regulatory requirements, as well as with policies and procedures of the firm.

VI. AUDIT

OBJECTIVE To ensure that an audit policy and related review function which objectively examines, evaluates and reports on the adequacy, effectiveness and efficiency of the management, operations and internal controls of the firm is established and maintained.

Control Standards

1. Where practicable, the Board of the firm shall establish an independent and objective internal audit function which is free of operating responsibilities.
2. The Board shall develop clearly prescribed terms of reference which sets out the scope, objectives, approach and reporting requirements for the external audit functions and where applicable, the internal audit functions.
3. The Board shall ensure that the person(s) performing the review function possesses the necessary technical competence and experience.
4. The Board shall ensure that there is adequate planning, control and recording of all audit and review work performed.

VII. OPERATIONAL CONTROLS

OBJECTIVE To ensure that effective policies and operational procedures and controls in relation to the day-to-day business operations of the firm are established, maintained and complied with.

Control Standards

1. The Management shall establish and maintain processes to obtain and confirm information regarding every client. (Further standards relate to discretionary authority, investment advice, conflict of interest, order handling, price sensitive information, asset protection, and records.)

VIII. RISK MANAGEMENT

OBJECTIVE To ensure that effective policies and procedures are established and maintained to ensure the proper management of risks to which the firm and, if applicable, its clients are exposed.

Control Standards

1. The Management shall ensure that appropriate and effective risk management policies are established and monitored by a risk management function. (Further standards relate to proprietary trading, risk exposure reporting, and methodologies.)