Article (9): General Risk Management & Internal Control Systems
C 6/2020 Effective from 30/10/2020
The Licensee must have in place appropriate risk management policies and procedures for managing the risks arising from the operation of its SVF scheme that are commensurate with the scale and complexity of the scheme.
The general risk management and internal control systems requirements set out in this Article also apply to licensed banks that carry out the SVF business in the State.
Risk management
A Licensee must have in place effective risk management framework, which is approved by the board of directors. Dedicated human resources should be equipped with sufficient professional knowledge and experience to oversee the risk management and internal control processes.
Liquidity risk management
A Licensee must establish and implement an effective process for managing liquidity risk that is appropriate for the size and complexity of its operations. The objective is to ensure that the Licensee will have sufficient liquidity to meet different financial obligations arising from its day-to-day operations as well as redemption requests under all plausible circumstances.
Internal controls
A robust internal control system must be put in place to promote effective and efficient operation, safeguard assets, provide reliable financial and management information, enable prevention or early detection of irregularities, fraud and errors, and ensure compliance with relevant statutory and regulatory requirements and internal policies.
A Licensee should put in place a comprehensive business strategy and plan, including details on the strategic goals and roadmap. A business plan should normally cover proposed business in terms of geographical scope of operations, target markets and Customer breakdown, client types and base size, product and services offering, delivery channels, pricing strategy, and promotion and marketing activities.
Compliance and internal audit functions
A Licensee must maintain an effective (i) compliance function; and (ii) internal audit function to ensure compliance with all applicable legal and regulatory requirements as well as its own policies, procedures and controls. Among other factors, the quality of a Licensee’s compliance and internal audit functions will be assessed by the Central Bank based on its:
7.1. clear governance framework with board level support to ensure effective policies and sufficient authorities to perform the functions;
7.2. relevant professional knowledge and experience;
7.3. independence from business units;
7.4. direct and unfettered access to the board;
7.5. coverage, comprehensiveness and effectiveness of compliance and internal audit programs; and
7.6. ability to take timely and proactive rectifying actions upon identifying non-compliance or other control deficiencies.
The compliance function must not be combined with the internal audit function.
Reporting to the Central Bank
A Licensee must have effective procedures to ensure submission of data and information requested by the Central Bank in a timely and accurate manner, including: (a) incidents having a material adverse impact on its business, operation, assets, risks or reputation; and (b) breach of any statutory or regulatory requirements by the Licensee or its officers or employees.
A Licensee should at least annually perform a risk assessment by its own risk management or audit function. If the results of the risk assessment suggest that a detailed independent assessment is necessary, the Licensee should conduct such assessment and cover the following seven key areas: (a) corporate governance and risk management; (b) Float management; (c) technology risk management; (d) payment security management; (e) business continuity management; (f) business conduct and consumer protection; and (g) AML/CFT controls systems. If the Licensee has an independent function elsewhere in its group, with the relevant knowledge and experience, the independent assessment can be conducted by its internal function. Otherwise the assessment must be carried out by an independent third party.
The report mentioned in paragraph 10 above must be submitted to the Central Bank after being approved by the board of directors. These reports must include an executive summary highlighting the key risks, most important findings and the actions for rectifying the issues.
Arising from the findings of the annual risk assessment, a Licensee that is unable to meet its obligations must immediately report this to the Central Bank.
A Licensee must also immediately notify the Central Bank of any breach or potential breach of major regulatory requirements in this Regulation.
Book traversal links for Article (9): General Risk Management & Internal Control Systems