What does the FCA's Systems and Controls Sourcebook (SYSC) mean for firms and Senior Managers?
The past two years have brought a whirlwind of new regulatory requirements, guidance and legislation that financial services firms have had to keep up with. But this doesn’t make the existing regs any less important – in fact, some of the new requirements make familiarity with existing ones all the more vital. A great example is the importance of SYSC to Senior Managers, whom the Senior Managers and Certification Regime makes individually accountable for the areas in their remit. SYSC now includes the requirements of the SM&CR, but the earlier chapters are crucially important for those accountable under the Regime and their practical responsibilities for their firm’s arrangements.
So this week, to ease us gently into 2020, we’ll take a look at the part played by the FCA’s Senior management arrangements, Systems and Controls Sourcebook, or SYSC, and what it means for firms and for Senior Managers.
The sourcebook is contained under the High Level Standards section of the Handbook, along with the Principles for Businesses, the Code of Conduct and Training and Competence sourcebook, etc. As such, for the most part, SYSC sets out general requirements for the organisation of business affairs and it is up to firms (i.e. senior managers and the board) to decide how the requirements might apply in practice given the organisation of the business. This approach allows for a single sourcebook across the whole range of financial services firms, no matter the size or complexity of the business.
SYSC is designed to ensure that responsibility for proper organisation of the business is given to specific, competent individuals, and to ensure that directors and senior managers take direct, practical responsibility for the organisation of elements of the business that might fall under the remit of the FCA. It is also designed to ‘amplify Principle 3’, which states that firms must ‘take reasonable care to organise and control their affairs responsibly and effectively, with adequate risk management systems.’
SYSC itself is divided into 28 individual chapters. Chapters apply depending on the type of firm and a handy application guide is given within the first part of chapter 1. Several chapters apply to all firms, including ‘Group risk systems and controls requirements’ and the chapters covering the Senior Managers and Certification Regime; these are where the specific requirements relating to regulatory references, allocation of responsibilities, responsibilities maps and the certification regime, among other elements, are set out.
The key takeaway is the theme of responsibility and accountability. While the rules and guidance may, in general, be fairly high level within the earlier chapters of SYSC, individual senior managers must ensure compliance in their individual areas of responsibility, ensure that the operation of business complies with regulatory obligations, and maintain appropriate records, which must also be able to evidence compliance. This all means that accountable individuals need to have a thorough grounding in the areas of the business for which they are accountable.
Using chapter 6.1 – ‘compliance’ as an example, a couple of overarching rules are imposed on applicable firms. Taking the major rule - that firms must establish, implement and maintain policies and procedures that ensure regulatory compliance and lessen the risk of financial crime, throughout the firm – although the FCA provide some additional guidance on practical steps for reducing the risk of financial crime in an additional document, no more specific information or guidance on the substance or arrangement of the policies and procedures is given. The onus, then, is on those responsible to ensure that the policies and procedures work well and are effective given the business of the firm.
In practice, ‘effective’ policies and procedures are likely to differ quite widely across financial services. With this rule, accountability for ensuring that proper procedures are designed, created, implemented, continuously used by the firm, and maintained rests clearly with senior management. Crucially, while the responsible senior manager does not need to carry out the leg-work in designing and maintaining the policies and procedures, they are accountable for them. Policies and procedures must be created, they must be effective and so monitored, tested and updated, and they must be abided by throughout the firm – and by appointed representatives and tied agents.
Senior managers, then, need to have a good grounding in SYSC to ensure that each requirement is met. And the action the FCA can take over breaches or failures could be significant. In October 2019, the Regulator imposed a discounted penalty of over £15 million in part because of failures to organise and control its affairs responsibly and effectively, in particular in relation to risk management systems – covered extensively within SYSC.
To help firms and individuals, we have created a focussed, summary guide, which explains the main rules in plain English needed to ensure compliance. The guide is available for purchase in the FCA Guidance section of our website.