As the due date for licensed corporations to submit their Managers-In-Charge (MICs) details to the Securities and Futures Commission (SFC) is approaching (17 July 2017), it is timely for senior management and the respective MICs to revisit the Management, Supervision and Internal Control Guidelines For Persons Licensed by or Registered with the Securities and Futures Commission (Internal Control Guidelines or ICG) to examine whether they have in place adequate and effective internal control.
All eight areas set out in the ICG are relevant to the MICs for Overall Management Oversight and Key Business Lines. There are also specific sections which are directly relevant to the MIC core functions: Operational Control and Review, Risk Management, Information Technology and Compliance.
We urge clients to give the ICG due focus. The ICG, written back in 2003, may be considered tricky to reconcile with the provisions of the Code of Conduct for Persons Licensed by or Registered by the Securities and Futures Commission(Code of Conduct) as the two documents have a different structure. However, we hope that clients would find this summary useful and timely for their roles under the new senior management accountability regime.
Paragraph 4.3 of the Code of Conductrequires licensed firms to have sufficient internal control procedures to protect their operations and clients from financial loss caused by theft, fraud and other misconduct.
Areas requiring internal control
- Management and supervision
- Segregation of duties and functions
- Personnel and training
- Information management
- Operational control
- Risk management
Suggested control techniques
In addition to guidance in the above areas, the ICG provides additional practical steps in connection with operational control and risk management (see separately Parts A and B of the Appendix of the ICG).
Although these steps are described as “suggested control”, it is advisable for them to be considered as regulatory requirements and followed by licensed firms, including their employees, directors and other persons performing services on behalf of the firm and these persons are collectively referred to as “staff”.
Who is responsible?
The “management” personnel of licensed firms are responsible for ensuring their firms have in place effective internal control to ensure compliance with all the relevant laws and regulations.
The term “management” includes the firms and their senior management, including the board of directors, Chief Executive Officer, Managing Director, or other senior operating management personnel.
1. Management and supervision
Qualified and experienced individuals should take up management and supervisory roles. Management should have in place a robust internal control system including:
- Written policies and procedures which are well communicated to and followed by staff
- Established clear reporting lines with supervisory and reporting responsibilities assigned to the appropriate staff
2. Segregation of duties and functions
- Supervisory and line operational duties should be segregated
- Certain operational functions must be segregated to avoid conflicts of interest (e.g. sales and dealing)
- Compliance and audit functions should be separated from operations and related supervisory functions, and report directly to management
3. Personnel and training
Staff should be fit and proper for their roles and responsibilities and appropriately licensed. Staff should also be provided with:
- adequate and up-to-date written policies and procedures
- initial and ongoing regular training
In particular, the policies must include staff personal account dealing rules that requires semi-annual disclosure of investment holdings by staff.
4. Information management
Qualified and experienced staff should be assigned to manage information and it should be managed in a secure and controlled environment. Management should ensure the firm has in place:
- Clearly defined information management reporting requirements
- Information management system design and implementation programmes
- Appropriate and effective electronic data processing and data securities policies
Qualified and experienced staff should be responsible for the compliance function. Management should ensure the firm has in place the following written rules:
- Clear compliance policies
- Effective compliance procedures
- Complaints procedures
- Escalation and reporting procedures
6. Operation control
Management should have in place control measures covering the following areas:
- Collection and maintenance of client information
- Exercising client delegation of discretionary authority
- Provision of investment advisory services
- Management of conflicts of Interest
- Disclosure of material interest in a client transaction
- Handling of client orders
- Avoiding market misconduct and other misbehaviour
- Avoiding errors
- Protection of firm’s and clients’ assets
Please read Part A of the Appendix to the ICG for the details of the control required.
Qualified and experienced audit personnel should be responsible for the internal audit function. Management should ensure the internal audit function is effective, independent and objective, and report directly to the management / audit committee.
Management should also ensure the following are in place:
- Clear terms of reference for external and internal audit functions
- Adequate planning, control, reporting of audit review work, timely reporting of findings, conclusions and recommendations to management and risks highlighted in reports be followed up and resolved satisfactorily
8. Risk management
Management should have in place an appropriate and effective risk management function, as well as written policies and procedures including risk measurement, reporting methodologies and review mechanism. Please read Part B of the Appendix to the ICG for the details of the control required.