The governance framework of an FSP must—
(1) |
be proportionate to the nature, scale, risks and complexity of the business of the FSP; |
(2) |
include, but not limited to, effective and adequate systems of corporate governance, risk management (including conduct risk management) and internal controls that subject to subsection (1) includes— |
(a) |
a business plan setting out the aims and scope of the business, the business strategies and related matters; |
(b) |
risk management policies, procedures and systems, including— |
(i) |
effective procedures for risk assessment, which identify the risks relating to the FSP’s activities, processes and systems, and where appropriate, set the level of risk tolerated by the FSP; |
(ii) |
effective procedures and systems— |
(aa) |
to ensure compliance by the FSP, its officers, employees, key individuals and representatives with the Act and other applicable laws, including the Financial Intelligence Centre Act, 2001 and other applicable anti-money laundering or terrorist financing legislation; |
(bb) |
to ensure compliance with decisions and decision-making procedures at all levels of the FSP; |
(cc) |
to detect any risk of failure by the FSP to comply with applicable legislation, and put in place measures and procedures to minimise such risk; and |
(dd) |
that provide for corrective actions to be taken in respect of non-compliance, weak oversight, failure of controls or lack of sufficient management; |
(iii) |
systems and procedures that are adequate to safeguard the security, integrity and confidentiality of information, including— |
(aa) |
electronic data security and internal and external cybersecurity; |
(bb) |
physical security of assets and records; |
(cc) |
system application testing; |
(dd) |
back-up and disaster recovery plans and procedures for systems and electronic data; and |
(iv) |
systems and processes to ensure accurate, complete and timeous processing of data, reporting of information and the assurance of data integrity; |
[Section 37(2)(b)(iii)(iv) numbering substituted by section 4 of Notice No. 707, GG43474, dated 26 June 2020]
(c) |
accounting policies and procedures to enable the FSP to record, report and deliver in a timely manner to the Registrar financial reports which reflect a true and fair view of its financial position and which comply with the applicable reporting and accounting standards and requirements; |
(d) |
sound and sustainable remuneration policies and practices which promote the alignment of interests of the FSP with those of its clients and which avoid excessive risk taking and unfair treatment of customers; |
(e) |
a business continuity policy aimed at ensuring, in the case of an interruption to the FSP’s systems and procedures, that any losses are limited, the preservation of essential data and functions, and the maintenance of its regulated activities, or where that is not possible, the timely recovery of such data and functions and the timely resumption of those activities; |
(f) |
a recovery plan for the restoration of the FSP’s financial situation following a significant deterioration and viable resolution plan setting out options for the orderly resolution of the FSP in the case of failure; and |
(g) |
provide for regular monitoring and evaluation of the adequacy and effectiveness of its systems, processes and internal control mechanisms and measures to address any deficiencies and to determine whether it serves reasonably to ensure— |
(i) |
risk detection and compliance with applicable legislation; |
(ii) |
the integrity of the FSP’s practices, including the treatment of clients with due care, skill and diligence and in a fair, honest and professional manner; and |
(iii) |
appropriate segregation of key duties and functions, particularly those duties and functions which, when performed by the same individual, may result in undetected errors or may be susceptible to abuses which expose the FSP or its clients to inappropriate risks. |